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Abstract 


Because  of  the  difficulty  of  adequately  simulating  large  digital  de¬ 
signs,  there  has  been  a  recent  surge  of  interest  in  formal  verification,  in 
which  a  mathematical  model  of  the  design  is  proved  to  satisfy  a  pre¬ 
cise  specification.  Model  checking  is  one  formal  verification  technique. 
It  consists  of  checking  that  a  finite-state  model  of  the  design  satisfies 
a  specification  given  in  temporal  logic,  which  is  a  logic  that  can  ex¬ 
press  properties  involving  the  sequencing  of  events  in  time.  One  of 
the  main  drawbacks  of  model  checking  is  the  state  explosion  problem. 
This  problem  occurs  in  systems  composed  of  multiple  processes  execut¬ 
ing  in  parallel;  the  size  of  the  state  space  generally  grows  exponentially 
with  the  number  of  components.  This  thesis  considers  two  methods  for 
avoiding  the  state  explosion  problem  in  the  context  of  model  checking: 
compositionat  verification  and  abstraction. 

In  compositional  verification,  our  goal  is  to  check  local  properties 
of  the  components  in  the  design,  deduce  that  these  hold  in  the  global 
system,  and  then  use  them  to  prove  the  overall  specification.  With  ab¬ 
straction,  we  can  hide  internal  state,  replace  complex  data  types  with 
simpler  abstract  ones,  or  simplify  some  of  the  timing  behavior  of  the 
components.  Using  a  connection  between  the  abstracted  and  unab¬ 
stracted  systems,  we  deduce  that  whatever  properties  we  prove  at  the 
abstract  level  also  hold  in  the  original  system.  We  develop  the  nec¬ 
essary  framework  for  using  these  two  techniques  with  model  checking, 
and  demonstrate  via  a  number  of  examples  how  they  can  be  applied  to 
realistic  systems.  Our  largest  example  is  the  cache  coherence  protocol 
described  in  the  IEEE  Futurebus-f  standard.  In  the  course  of  the  ver¬ 
ification,  we  found  errors  in  the  standard,  and  proposed  fixes  for  the 
protocol. 
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Chapter  1 
Introduction 


With  society’s  increasing  reliance  on  digital  systems  comes  an  increased 
emphasis  on  their  dependability.  Design  errors  can  lead  to  serious  fail¬ 
ures,  resulting  in  the  loss  of  time,  money,  and,  in  some  cases,  lives. 
Further,  even  when  an  error  is  discovered  during  the  design  cycle,  large 
amounts  of  effort  can  be  required  to  correct  the  problem,  especially  if 
the  error  is  found  late  in  the  process.  For  these  reasons,  we  need  meth¬ 
ods  that  enable  us  to  validate  designs  as  early  as  possible.  Traditionally, 
simulation  has  been  the  main  debugging  technique.  However,  because 
of  the  increasing  complexity  of  digital  systems,  it  is  rapidly  becoming 
impossible  to  simulate  large  designs  adequately.  For  this  reason,  there 
has  been  a  recent  surge  of  interest  in  formal  verification.  In  formal 
verification,  a  mathematical  model  of  the  design  is  compared  with  a 
formal  specification  describing  the  correctness  criteria  for  the  design. 
The  verification  is  exhaustive:  all  possible  behaviors  of  the  model  (and 
its  environment)  are  considered.  Further,  the  model  of  the  system  can 
be  highly  abstract,  making  it  possible  to  check  properties  of  a  design 
during  the  earliest  stages  of  its  development. 

Most  formal  verification  methods  fall  into  one  of  two  classes.  In 
proof-based  methods,  the  designer  constructs  a  mathematical  proof,  per¬ 
haps  with  the  aid  of  some  automated  support,  that  the  model  meets 
its  specification.  Because  the  full  power  of  mathematics  is  available, 
.such  techniques  are  very  fh’xible.  It  is  possible  to  mo<lel  systems  at 
almost  any  level  of  detail,  and  to  prove  properties  of  entire  classes  of 
.systems.  The  main  drawback  of  such  methods  is  that  they  require  a 
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large  amount  of  sophistication  and  efTort  on  the  part  of  the  user.  In 
contrast,  state-exploration  methods  restrict  the  model  to  be  finite-state 
and  use  state  space  search  algorithms  to  check  automaticallv  that  the 
specification  is  satisfied.  Further,  if  tlie  specification  is  false,  then  a 
lounterexample  trace  can  be  produced  to  show  the  user  wliy  this  is 
the  Ccise.  This  counterexample  is  invaluable  in  debugging  the  problem. 
The  state-exploration  methods  require  less  expertise  to  use,  but  they 
do  have  some  drawbacks.  The  most  serious  of  these  is  the  state  ex¬ 
plosion  problem.  This  problem  arises  in  systems  composed  of  multiple 
components  operating  in  parallel:  the  total  number  of  states  in  the 
system  generally  grows  exponentially  with  the  number  of  components. 
This  thesis  is  concerned  with  methods  for  attacking  the  state  explosion 
problem. 

The  particular  type  of  state-exploration  method  that  we  will  be 
considering  is  called  temporal  logic  model  checking.  Temporal  logic  is 
a  logic  for  specifying  how  propositions  change  over  time  without  intro¬ 
ducing  time  explicitly  [82].  It  is  a  convenient  formalism  for  specifying 
reactive  systems  (systems  whose  correct  behavior  is  defined  in  terms  of 
their  interaction  with  an  envirot\ment,  rather  than,  e.g.,  their  output 
upon  termination)  [75,  76].  In  typical  temporal  logics,  we  have  access  to 
temporal  operators  such  as  “always”  or  “eventually”.  These  operators 
can  be  nested,  allowing  us  to  express  complex  conditions.  For  example, 
we  can  specify  that  every  time  p  is  true,  then  at  some  later  time  (/  must 
be  true  by:  “always,  if  p  then  eventually  7”.  Temporal  logic  has  been 
used  extensively  for  specifying  and  verifying  properties  of  hardware, 
starting  with  the  work  of  Malachi  and  Owicki  [66]  and  Bochmann  [8], 
and  most  of  our  examples  will  be  drawn  from  the  area  of  comptiter 
hardware.  Early  verification  was  done  by  manual  proofs,  and  as  a  re¬ 
sult  only  very  small  systems  could  be  checked.  Further,  the  process  was 
time-consuming  and  error-prone.  (In  fact,  when  Bochmann  “verifieil” 
an  arbiter  design  due  to  Seitz  [83],  he  had  to  make  some  simplifying  as- 
smnptions  to  make  the  proof  manageable,  and  in  the  process,  he  missed 
a  bug  that  was  later  found  by  Dill  and  Clarke  [44].)  The  introduction 
of  model  checking  procedures  by  Clarke  and  Emerson  [27]  and  Quielle 
and  Sifakis  [80]  was  the  first  step  towards  being  able  to  handle  nn)re 
realistic  designs.  In  mode!  checking,  the  design  under  consideration  is 
described  by  a  finite-state  transition  system,  and  an  algorithm  is  used 
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to  verify  that  this  system  satisfies  the  specification.  Tlie  use  of  model 
checking  made  it  possible  to  find  errors  in  nontrivial  circuits  which  had 
been  carefully  designed  [15,  44]. 

1.1  Scope  of  the  Thesis 

We  discuss  two  main  methods  for  avoiding  the  state  explosion  problem 
in  the  context  of  temporal  logic  model  checking:  compositional  verifica¬ 
tion  and  abstraction.  The  goal  of  compositional  verification  is  to  try  to 
take  advantage  of  a  given  decomposition  of  the  design  into  a  number  of 
components  running  in  parallel.  In  our  approach,  this  will  mean  that 
instead  of  forming  the  composition  explicitly,  we  reason  about  small 
groups  of  components  and  then  use  the  “local”  properties  that  we  veri¬ 
fied  to  check  the  global  specification.  In  abstraction,  we  try  to  simplify 
our  models  by  hiding  details.  Verifying  the  simplified  models  is  gener¬ 
ally  more  efficient  than  checking  properties  of  the  original  ones.  When 
using  abstraction,  we  must  establish  a  relationship  between  the  abstract 
models  and  the  original  ones,  so  that  correctness  at  the  abstract  level 
will  imply  correctness  for  the  original  system.  Abstraction  can  take 
many  forms:  we  may  hide  parts  of  the  system  state,  approximate  com¬ 
plex  data  types  with  simpler  ones,  or  simplify  the  temporal  behavior 
of  the  design.  In  both  cases,  we  are  taking  advantage  of  information 
about  the  design  in  order  to  simplify  the  verification  task.  Successful 
use  of  compositional  verification  requires  some  idea  of  how  parts  of  me 
design  contribute  to  satisfying  the  given  specification.  When  using  ab¬ 
straction,  we  must  balance  the  desire  to  hide  information  with  the  need 
to  be  able  to  prove  the  specification.  This  knowledge  about  the  design 
must  come  from  the  person  performing  the  verification. 

The  principle  contributions  of  this  thesis  are  as  follows: 

1.  A  method  for  constructing  compositional  verification  systems  us¬ 
ing  different  types  of  temporal  logic,  and  a  particular  composi¬ 
tional  verification  framework  based  on  the  logic  CTL. 

2.  Methods  for  using  abstraction  within  the  above  framework.  We 
consider  techniques  for  hiding  state,  abstracting  data  values,  and 
abstracting  complex  timing  behavior.  We  also  develop  ways  of 
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efficiently  producing  the  abstract  models  without  explicitly  con¬ 
structing  the  unabstracted  ones. 

3.  Ways  of  using  symbolic  parameters  together  with  the  above  meth¬ 
ods.  Symbolic  parameters  essentially  allow  us  to  verify  entire 
classes  of  properties  or  classes  of  systems  simultaneously.  In  prac 
tice,  the  complexity  of  this  verification  is  usually  not  much  greater 
than  the  complexity  of  verifying  an  individual  member  of  the 
class.  We  demonstrate  how  the  use  of  symbolic  parameters  can 
greatly  increase  the  power  of  our  abstraction  and  compositional 
verification  techniques. 

4.  Verification  of  part  of  the  IEEE  Futurebus-I-  standard  [59].  We 
show  that  our  techniques  are  practical  by  using  them  to  verify 
the  Futurebus-t-  cache  coherence  protocol.  The  verification  is  of 
independent  interest  as  well,  since  we  discovered  errors  in  the 
IEEE  standard. 


1.2  Related  Work 

1.2.1  Temporal  logic 

There  are  a  variety  of  temporal  logic  model  checking  procedures  using 
a  number  of  different  logics  [12,  27,  28,  33,  45,  64,  80,  92,  94.  95]. 
We  will  be  concentrating  on  one  particular  logic,  CTL  [27].  and  one 
particular  model  of  computation,  but  many  of  the  ideas  that  we  discuss 
are  applicable  to  other  logics  and  models.  In  contrast  to  our  work, 
traditional  model  checking  algorithms  have  dealt  with  the  problem  of 
determining  whether  a  cIo.sed  system  satisfies  a  given  specification.  Part 
of  our  compositional  verification  framework  is  a  tableau  construction 
relating  formulas  in  our  logic  with  finite-state  processes.  It  has  a  flavor 
similar  to  other  tableau-like  constructions  [5,  24,  27,  46,  64,  78,  92.  95]. 

1.2.2  Efficient  state-space  search  procedures 

Much  of  the  recent  interest  in  fori  1  verification  methods  has  arisen 
from  powerful  techniques  for  searching  large  state  spaces.  By  using 
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binary  decision  diagrams  (BDDs)  (or  more  precisely,  reduced,  ordered 
DDDs)  [11,  17,  18]  to  represent  transition  systems  and  state  sets,  it  is 
possible  to  explore  regular  state  spaces  with  extremely  large  numbers 
of  states  [4,  9,  22,  23,  24,  36,  37,  38,  47,  48,  67,  89].  Partial-order  ap¬ 
proaches  attempt  to  cut  down  the  search  space  by  ignoring  irrelevant 
interleavings  of  concurrent  events  in  asynchronous  systems  [50,  67,  79, 
90,  91].  All  of  these  methods  are  useful  for  reducing  the  state  explo¬ 
sion  problem,  but  they  are  largely  orthogonal  to  the  methods  that  we 
consider.  VVe  do,  however,  make  extensive  use  of  the  BDD-based  tech¬ 
niques.  They  provide  a  powerful  and  flexible  symbolic  manipulation 
facility  for  working  with  sets  and  relations  over  finite  domaiiis.  (A  brief 
summary  of  BDDs  is  given  in  appendix  A.) 

1.2.3  Compositional  verification 

In  this  subsection,  we  survey  methods  designed  to  take  advantage  of 
the  decomposition  of  a  system  into  processes  in  order  to  simplify  verifi¬ 
cation.  Local  model  checking  algorithms  [33,  86,  94]  based  on  logics  like 
the  propositional  p-calculus  use  a  tableau-based  procedure  to  deduce 
that  a  specific  state  (the  initial  state  of  the  system)  satisfies  a  given 
logical  formula.  The  state  space  can  be  generated  as  needed  in  such 
an  algorithm,  and  for  some  formulas,  only  a  small  portion  of  the  space 
may  have  to  be  examined.  Thus,  by  having  a  representation  in  terms 
of  a  set  of  components  and  producing  global  states  only  when  required, 
it  is  sometimes  possible  to  save  significant  time  and  space.  The  main 
drawback  of  these  algorithms  is  that  often  the  entire  global  state  space 
is  generated  (for  example,  when  checking  that  a  property  holds  at  every 
reachable  state). 

Winskel  [93]  proposes  a  method  for  decomposing  logical  specifica¬ 
tions  in  the  propositional  /x-calcidus  into  properties  which  the  com¬ 
ponents  of  a  system  must  satisfy  for  the  specification  to  hold.  The 
approach  is  apjjealing,  but  as  might  be  expected,  dealing  with  paral¬ 
lel  composition  is  difficult.  In  our  work,  it  is  up  to  the  user  to  derive 
appropriate  specifications  for  the  individual  components. 

Graf  and  Steffen  [51]  describe  a  method  for  generating  a  reduced 
version  of  the  global  state  space  given  a  description  of  how  the  sys¬ 
tem  is  structured  and  specifications  of  how  the  components  interact. 
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Clarke,  Long  and  McMillan  [31,  32]  describe  a  similar  attei.  nt.  Both 
methods  will  still  produce  large  state  graphs  if  most  of  the  states  in  the 
system  are  not  equivalent,  and  much  of  the  verification  must  be  redone 
if  part  of  the  system  changes.  Shtadler  and  Grumberg  [84]  show  how 
to  verify  networks  of  processes  whose  structure  is  described  by  gram¬ 
mars.  In  this  approach,  which  involves  finding  the  global  behavior  of 
each  component,  networks  of  arbitrary  complexity  can  be  verified  by 
checking  one  representative  system.  For  many  systems,  however,  the 
number  of  states  may  still  be  prohibitive.  While  all  of  these  methods 
do  take  advantage  of  the  process  structure,  they  are  still  constructing 
some  form  of  a  global  state  graph. 

Compositionality  is  one  of  the  main  motivations  behind  the  work  on 
process  algebras  [7,  55,  57,  71].  By  using  equivalences  or  preorders,  it  is 
possible  to  construct  hierarchical  proofs  of  correctness  of  systems.  At 
each  stage,  a  small  group  of  components  is  combined,  internal  actions 
are  hidden,  and  the  product  is  reduced.  There  are  also  links  between 
the. e(]ui valences  and  preorders  and  various  modal  logics  [55.  5()].  One 
of  our  original  approaches  to  compositional  verification  had  much  the 
same  flavor:  it  was  based  on  an  equivalence  between  processes  and  a 
relationship  between  logical  satisfaction  and  the  equivalence  [31]. 

Trace-  and  language-based  methods  [21,  43,  62]  also  support  com- 
positional  verification.  These  methods  are  based  on  inclusion  between 
sets  of  traces  or  sets  of  strings,  and  hence  provide  a  natural  framework 
for  doing  hierarchical  correctness  proofs.  The  approaches  generally  use 
linear-time  semantics,  while  we  will  be  concentrating  on  branching-time 
.semantics  and  specifications  in  a  temporal  logic. 

In  1984,  Pnueli  proposed  the  assume- guarantee  paradigm  for  reason¬ 
ing  about  concurrent  systems  [77].  In  Pnueli’s  framework,  we  reason 
with  triples  of  the  form  {ip)M{rh),  where  ip  represents  an  assumption 
about  the  environment  of  iV/,  and  0  is  a  guarantee  about  what  will  be 
true  when  this  assumption  holds.  This  approach  is  a  powerful  method 
f(jr  rea.soning  about  concurrent  systems.  Pnueli  used  linear-time  tempo¬ 
ral  logic  (LTL)  and  a  shared-memory  process  model.  As  most  of  our  ex- 
am|)les  come  from  the  hardware  domain,  this  form  of  comnnmication  is 
not  particularly  a|)propriate.  However,  we  would  still  like  to  be  able  to 
u.s<-  the  assiime-guarantee  paradigm.  Our  goal  in  chapters  2  and  3  will 
be  to  adapt  the  paradigm  to  a  more  traditional  state-machine  model. 
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VVe  also  demonstrate  the  practical  value  of  the  approach  on  a  significant 
example,  the  Futurebus+  cache  coherence  protocol. 

Josko  [60]  has  developed  a  compositional  verification  methodology 
based  on  CTL.  In  his  approach,  specifications  are  given  in  a  restricted 
form  of  CTL  (essentially  ACTL,  as  considered  in  section  2.5).  As¬ 
sumptions  about  the  environment  are  gi  ven  by  a  class  of  LTL  formulas 
that  are  also  expressible  in  ACTL.  He  gives  an  algorithm  for  check¬ 
ing  whether  a  formula  holds  for  a  state  machine  given  an  assumption 
about  the  environment.  The  algorithm  is  based  on  labeling  proce¬ 
dure  that  annotates  states  with  subformulas  of  the  specification  and 
derivatives  [19]  of  the  assumption.  The  system  does  support  assume- 
guarantee  style  reasoning.  However,  the  algorithm  is  fairly  ad  hoc,  the 
set  of  assumptions  that  can  be  expressed  is  restricted,  and  the  method 
is  not  suitable  for  hierarchical  verificacion  or  for  using  finite  state  in¬ 
duction  techniques  [63,  97].  Our  approach  does  not  suffer  from  these 
drawbacks. 

Shurek  and  Grumberg  [85]  describe  criteria  for  obtaining  a  com¬ 
positional  framework,  and  illustrate  the  idea  using  CTL*  with  only 
universal  path  quantifiers.  This  system  is  closest  to  the  work  presented 
in  chapters  2  and  3.  However,  they  give  no  provisions  for  handling  fair 
ness  efficiently,  using  formulas  as  assumptions,  or  supporting  temporal 
reasoning.  For  completeness  purposes,  models  in  their  system  are  also 
a.ssociated  with  a  fixed  decomposition  into  components.  Their  overall 
focus  is  on  proof  systems  and  general  aspects  of  modular  verification, 
while  ours  is  on  demonstrating  that  these  ideas  are  practical  and  can 
be  used  to  simplify  the  verification  of  real  systems. 

1.2.4  Abstraction 

Our  main  goal  in  using  abstraction  is  to  verify  systems  that  manipu¬ 
late  data  in  nontrivial  ways.  Recently,  symbolic  mo<lel  checking  tech- 
ni(|ues  [23,  24,  39,  67]  have  been  u.sed  to  handle  circuits  with  data  paths. 
The  symbolic  representations  are  able  to  capture  nuich  of  the  regularity 
in  tj'pical  data  main|)ulations.  However,  these  methods  are  still  unable 
to  deal  with  some  systems  of  realistic  complexity.  Our  methods  are 
designed  to  complement  these  techniques. 

Wolper  [96]  has  described  how  to  use  model  checking  to  verify  data 
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independent  systems.  These  are  systems  where  the  stored  data  values 
do  not  affect  the  course  of  the  computation.  For  example,  a  protocol 
whose  only  function  is  to  move  data  from  a  sender  to  a  receiver  (with  no 
error  checking,  etc.)  is  typically  data  independent.  Model  checking  for 
such  systems  can  be  done  using  only  the  control  structure;  the  data  can 
be  abstracted  away  entirely.  Unfortunately,  many  interesting  systems 
are  not  data  independent.  In  contrast,  our  techniques  can  cope  with 
systems  that  are  not  data  independent. 

Van  Aelten  et  al.  [1]  discuss  a  method  for  simplifying  the  verifi¬ 
cation  of  synchronous  processors  by  abstracting  away  the  data  path. 
Their  technique  is  to  derive  correctness  conditions  for  the  control  cir¬ 
cuitry  by  using  a  schedule  of  data  path  operations  in  the  form  of  a 
signal  flow  graph  (SFG).  The  data  path  is  verified  in  a  separate  step. 
Claesen  et  al.  [25]  also  discuss  techniques  for  verifying  digital  signal 
processors  against  SFGs.  These  procedures  are  very  specialized  and 
efficient,  but  they  cannot  handle  general  properties:  in  a  sense  they 
just  compare  the  control  circuitry  with  the  property  specified  by  the 
SFG.  Fujita  [49]  describes  a  method  for  verifying  circuits  with  data 
paths  by  translating  temporal  logic  specifications  for  the  whole  circuit 
into  specifications  involving  only  the  control  circuitry.  In  all  of  these 
approaches,  dealing  with  feedback  from  the  data  path  to  the  control 
circuitry  is  somewhat  awkward.  Corella  [35]  discusses  a  method  for 
verifying  circuits  with  data  paths  against  algorithmic-level  specifica¬ 
tions.  His  approach  involves  constructing  a  state  graph  in  which  the 
data  register  values  are  terms  built  from  variables  and  uninterpreted 
function  symbols.  The  actual  data  path  elements  are  verified  sepa¬ 
rately.  The  method  is  not  guaranteed  to  terminate,  and  it  may  give 
false  negatives  due  to  properties  of  the  data  path  operations,  but  it 
has  the  advantage  of  being  independent  of  data  path  width.  It  is  not 
clear  that  it  can  be  implemented  using  BDD-based  representations,  so 
it  may  not  be  able  to  handle  circuits  with  complex  control  logic.  Our 
use  of  symbolic  parameters  together  with  abstraction  does  not  allow  us 
to  separate  completely  the  control  and  data  paths,  but  it  does  greatly 
simplify  the  verification.  Further,  our  approach  handles  general  prop¬ 
erties  and  feedback  from  the  data  path  to  the  control  with  ease. 

Kurshan  [62]  did  much  of  the  pioneering  work  on  using  abstrac¬ 
tion  to  verify  finite-state  systems.  His  approach  has  been  automated 
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in  the  COSPAN  verification  system  [53,  54].  The  basic  notion  of  cor¬ 
rectness  is  one  of  j-language  containment.  Further,  the  user  may  use 
abstract  mode'  of  the  system  and  specification  in  order  to  reduce  the 
complexity  of  the  test  for  containment.  To  ensure  soundness,  the  user 
specifies  homomorphisms  between  the  actual  and  abstract  processes. 
These  homomorphic  reductions  are  checked  automatically.  Our  work 
differs  from  Kurshan’s  in  the  following  ways: 

1.  We  are  working  in  a  branching-time  rather  than  a  linear-time 
framework.  We  concentrate  on  the  use  of  temporal  logics  for 
specification. 

2.  The  abstractions  that  we  use  correspond  to  language  homomor¬ 
phisms  induced  by  boolean  algebra  homomorphisms  in  Kurshan’s 
work.  For  this  type  of  abstraction,  we  show  how  to  derive  auto¬ 
matically  an  approximation  to  the  abstracted  system.  The  ap¬ 
proximation  is  constructed  directly  from  a  high-level  representa¬ 
tion  of  system  (e.g.,  as  a  program  in  a  finite-state  language).  It 
is  not  necessary  to  examine  the  state  space  of  the  unabstracted 
machine.  Because  of  this,  constructing  the  approximation  is  quite 
efficient.  We  demonstrate  by  example  that  this  form  of  abstrac¬ 
tion  is  powerful  enough  and  that  the  approximation  is  accurate 
enough  to  allow  us  to  verify  interesting  properties. 

3.  We  show  how  to  use  symbolic  parameters  to  increase  the  power 
of  abstraction  for  verifying  data-dependent  systems. 

General  frameworks  for  abstraction  are  discussed  by  Burch  [21]  and 
by  Bensalem  et  al.  [6].  Burch’s  work  is  in  the  context  of  trace  theory.  He 
defines  the  notion  of  a  conservative  approximation  between  trace  struc¬ 
tures  at  different  levels  of  abstraction.  The  approach  of  Kurshan  can 
be  viewed  as  a  particular  type  of  conservative  approximation.  Burch 
considers  mainly  applications  to  the  verification  of  real-time  systems. 
Bensalem  et  al.  use  the  notion  of  a  Galois  connection  between  sets  of 
states  of  two  processes  to  define  what  it  means  for  one  process  to  be 
an  abstraction  of  another.  They  also  discuss  the  preservation  of  logical 
properties  in  the  /i-calculus  between  abstract  and  concrete  processes. 
The  approach  that  we  have  chosen  for  formalizing  our  notion  of  ab¬ 
straction  is  a  type  of  cross  between  conservative  approximations  and 


20 


CHA  PTER  1 .  INTROD  UCTION 


Galois  connections.  While  both  Burch  and  Bensalem  et  al.  concentrate 
mainly  on  producing  a  theoretical  framework,  our  emphasis  is  on  ef¬ 
ficiently  producing  abstract  transition  systems,  combining  abstraction 
with  symbolic  parameters,  and  demonstrating  the  application  of  these 
facilities  to  nontrivial  examples. 

The  techniques  that  we  use  for  efficiently  producing  abstract  mod¬ 
els  from  high-level  representations  are  similar  to  those  used  in  abstract 
interpretation  [40,  41,  73,  74],  Abstract  interpretation  is  a  powerful 
method  for  program  analysis  that  is  based  on  constructing  an  abstract 
semantics  for  the  programming  language  and  then  “executing”  the  pro¬ 
gram  using  these  semantics.  The  semantics  is  designed  so  that  this 
abstract  execution  always  terminates.  Abstract  interpretation  is  used 
mainly  to  infer  information  that  can  help  in  generating  more  efficient 
code  when  compiling  the  program.  As  such,  most  abstract  interpreta¬ 
tions  are  designed  to  capture  static  information  (e.g.,  what  variables 
are  live  at  this  program  point?  are  these  two  pointers  ever  aliased?  is 
there  a  linear  relation  between  these  index  variables?).  When  verifying 
reactive  systems,  it  is  the  dynamic  behavior  of  the  system  that  is  of 
interest.  Further,  abstract  interpretations  are  generally  constructed  to 
collect  a  fixed  type  of  information  about  programs  in  a  fixed  target 
language.  In  our  work,  the  user  has  the  flexibility  to  construct  new 
abstractions  dynamically  and  even  to  extend  the  description  language. 
We  then  use  symbolic  manipulation  techniques  to  produce  automati¬ 
cally  an  appropriate  abstract  semantics. 

Other  techniques  for  producing  reduced  models  have  been  proposed 
by  Bouajjani  et  al.  [lOj  and  Dams,  Grumberg  and  Gerth  [42].  These 
approaches  involve  refining  a  partition  of  the  set  of  states  until  a  model 
which  is  minimal  (in  an  appropriate  sense)  is  obtained.  While  these 
procedures  can  make  use  of  BDD-based  representations  for  individual 
elements  of  the  partition,  the  final  result  is  essentially  an  explicit-state 
representation  of  the  reduced  model.  Hence,  when  there  are  many  be- 
haviorally  distinguishable  states,  these  procedures  may  not  be  feasible. 
In  contrast,  our  approach  directly  produces  BDDs  representing  the  ab¬ 
stract  system. 


Chapter  2 


Compositional  Verification, 
Part  I 


In  this  chapter,  we  consider  methods  for  using  compositional  model 
checking  to  avoid  the  state  explosion  problem.  The  idea  behind  com¬ 
positional  methods  is  to  exploit  the  natural  decomposition  of  a  system 
into  communicating  parallel  processes.  We  will  try  to  verify  proper- 
lies  of  individual  components,  infer  that  these  properties  hold  in  the 
complete  system,  and  use  them  to  deduce  additional  properties.  The 
second  step,  inferring  that  local  properties  hold  in  the  complete  system, 
is  the  key  requirement  for  compositional  verification.  Thus,  we  wish  to 
examine  the  compositional  model  checking  problem:  how  do  we  check 
that  a  specification  is  true  of  all  systems  that  can  be  built  using  a  given 
component?  Below,  we  introduce  the  temporal  logic  CTL,  show  how 
it  can  be  used  to  specify  properties,  and  discuss  the  Moore  machine 
model  for  finite  state  systems.  We  prove  that  the  compositional  model 
checking  problem  for  full  CTL  is  hard.  Motivated  by  this  result,  we 
show  that  for  a  subset  of  CTL  that  we  call  ACTL,  the  problem  is  ef¬ 
ficiently  d<!cidable.  In  subsequent  chapters,  we  will  use  ACTL  as  tlie 
basis  for  doing  full  assume- guarantee  style  compositional  reasoning  and 
for  using  abstraction  to  simplify  the  verification  of  tempo:  i  o"  perties. 
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2.1  CTL  and  Structures 

Temporal  logic  is  a  logic  for  expressing  the  relative  ordering  of  events 
in  time  without  mentioning  time  explicitly.  We  will  be  using  a  tem¬ 
poral  logic  called  CTL  (“Computation  Tree  Logic”)  [27]  as  our  basic 
specification  for  nalism.  Formulas  in  CTL  are  built  up  from: 

1.  atomic  formulas,  that  express  information  about  what  is  observ¬ 
able  in  a  single  system  state; 

2.  the  usual  boolean  connectives;  and 

3.  temporal  operators,  that  express  how  things  change  over  time. 

All  temporal  operators  in  CTL  are  interpreted  relative  to  an  implicit 
“current  state”,  and  eaeh  operator  consists  of  two  parts.  The  first  is 
called  a  path  quantifier  and  is  either  A  or  E.  A  denotes  that  something 
should  be  true  of  all  “paths”  (executions,  expressed  as  sequences  of 
states)  starting  at  the  current  state.  In  contrast,  E  is  used  to  specify 
the  existence  of  a  path  with  a  certain  property.  The  second  part  of  a 
temporal  operator  is  either  X,  U,  or  V.  These  are  used  to  describe  the 
ordering  of  events  along  the  path  or  paths  indicated  by  the  A  or  E. 
The  intuitive  meanings  of  X,  U,  and  V  are  as  follows: 

1.  Xv^:  X  is  read  as  “next  time”.  X  is  true  of  a  path  if  the 
formula  y?  is  true  at  the  second  state  on  the  path.  Thus,  X  is 
used  to  express  properties  about  the  immediate  successors  of  the 
current  state. 

2.  IJ  U  is  the  “until”  operator.  A  path  satisfies  p>\J  il'  if- 

(a)  there  is  some  state  on  the  path  satisfying  0;  and 

(b)  for  all  the  preceding  states,  9  is  true. 

Thus,  ip  is  true  up  until  a  point  where  0  is  true. 

3.  tpY xl^:  The  V  operator  is  the  dual  of  U  and  is  read  as  “releases”. 
A  path  satisfies  V  0  if  is  true  at  the  current  state,  and  ip 
remains  true  up  to  and  including  the  first  point  where  p>  is  tnn'. 
There  is  no  requirement  that  p)  ever  become  true,  but  when  it 
does,  it  “releases”  the  requirement  that  xp  be  true. 
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In  a  moment,  we  will  look  at  some  example  specifications  in  CTL,  but 
first,  we  give  the  formal  definition  of  the  class  of  CTL  formulas.  For  the 
atomic  formultis,  we  will  assume  that  there  is  a  set  A  of  visible  state 
components  that  we  can  observe.  In  a  given  state  of  our  system,  each 
component  will  have  a  specific  value.  We  will  assume  that  there  is  a 
set  Da  of  possible  values  for  the  state  component  a. 

Definition  2.1  The  logic  CTL  over  a  set  of  state  components  A  is  the 
set  of  formuliis  given  by  the  following  inductive  definition: 

1.  The  constant  true  is  an  atomic  formula. 

2.  For  each  state  component  a  in  /I  and  element  d  of  Do,  a  =  d  is 
an  atomic  formula. 

3.  If  If  and  ip  are  formulas,  then  ->ip  and  ip  Arp  are  formulas. 

4.  If  ip  and  ip  are  formul^ls,  then  AX 9,  A(i^V  ip)  and  A(p\Jip)  are 
formulas. 

We  will  use  the  following  abbreviations: 


Abbreviation 

Meaning 

false 

-itrue 

p  V  Ip 

A  -'Xp) 

p  ^  Ip 

~'p  V  Ip 

p(Bip 

[p  A  ->ip)  V  (->^  A  Ip) 

p  Ip 

-'{p®ip) 

EXv? 

AX  -‘p 

E{p  U  Ip) 

->  A{-'p  V  -‘Ip) 

E(pyip) 

—>  A{—'p  U  -'Ip) 

AGp 

A{false  V  p) 

AF  p 

A{true  U  p) 

EG  p 

Eifalse  V  p) 

EF  p 

E(/rue  U  p) 

Some  of  the  operators  are  viewed  as  abbreviations  for  two  reasons. 
First,  by  expressing  E  using  the  duality  ->  A  we  reduce  the  num¬ 
ber  of  temporal  operators  that  we  have  to  consider  when  giving  se¬ 
mantics  or  doing  proofs.  Second,  certain  patterns  such  as  A{true  U 
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^p)  and  A{false  V  ip)  occur  often  enough  that  it  is  convenient  to  have  a 
special  shorthand  for  them.  F  and  G  are  intended  to  express  eventual¬ 
ity  and  invariance  respectively.  F  v’  is  true  of  a  path  when  ip  must  hold 
at  some  state  on  the  path  (at  some  point  in  the  “future”).  Gp)  is  true 
of  a  path  when  (p  is  true  at  every  state  on  the  path  (is  true  “globally”). 

Let  us  now  consider  some  example  CTL  formulas  and  their  intuitive 
meanings. 

1.  AG{r€q  =  1  — ♦  AF  ack  =  1):  This  formula  states  that  for  all 
reachable  states  (AG),  if  the  state  satisfies  re^  =  1  (“a  request  is 
made”),  then  at  some  later  point  (AF)  we  must  encounter  a  state 
with  ack  =  1  (“an  acknowledgment  is  received”).  Note  that  the 
AF  is  interpreted  relative  to  the  state  where  req  —  1.  The  outer 
AG  is  interpreted  starting  with  the  initial  states  of  the  system. 

2.  AGAFena6/ed  =  1:  No  matter  what  state  we  reach,  at  some 
later  pointer  we  must  encounter  a  state  where  enabled  =  1.  Note 
that  after  we  pass  a  state  where  enabled  is  1,  then  we  must  reach 
yet  another  such  state.  In  other  words,  enabled  must  be  1  in 
finitely  often. 

3.  AG  EF  restart  =  1:  For  any  reachable  state,  there  must  ex¬ 
ist  a  path  starting  at  that  state  that  leads  to  a  state  satisfying 
restart  =  1.  It  must  always  be  possible  to  “restart  the  system”. 

Formally,  CTL  formulcis  are  interpreted  relative  to  a  type  of  state 
transition  system.  The  particular  type  of  state  transition  system  has 
traditionally  been  called  a  Kripke  structure,  after  Kripke  [2].  The  only 
difference  between  our  definition  (below)  and  the  traditional  definition 
is  that  the  visible  state  components  in  our  transition  systems  may  range 
over  non-boolean  domains.  We  will  also  abbreviate  the  name  to  just 
“structure”. 

Definition  2.2  A  structure  M  =  {S,  /,  R,  A,  L)  is  a  tuple  of  the  fol¬ 
lowing  form: 

1 .  5  is  set  of  states. 

2.  /  C  5  is  a  set  of  initial  states. 
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Figure  2.1:  A  structure 

Next,  we  give  the  semantics  of  CTL  relative  to  a  structure.  In 

the  following  definition,  we  use  comp(^)  to  denote  the  visible  state 

components  mentioned  by  the  CTL  formula  ip.  (The  formal  definition 
of  comp  is  deferred.) 

Definition  2.4  Let  M  be  a  structure  and  be  a  CTL  formula  with 
A  D  comp{p).  Satisfaction  of  p  by  a  state  s  of  iVI ,  denoted  by  .V/,,s 
p,  is  defined  as  follows: 

1.  M,s  ^  true. 

2.  M,s  ^  a  =  (f  iff  L{s,a)  =  d. 

3.  M,s  f=  ->1^  iff  it  is  not  the  case  that  M,s  |=  p. 

M,s  \=  p  A  tt^  in  M,s  p  and  Af,  s  [=  0. 

4.  Below,  we  use  tt  to  denote  a  sequence  of  states  So,s,.s2...  from 

S  =  So. 

(a)  iV/,s  [=  AXv?  iff  for  every  n,  M,si  [=  p. 

(b)  M,s  [=  A(v?  U  0)  iff  for  every  tt,  there  exists  j  such  that 
A/,  Sj  ^  0  and  for  all  i  <  y ,  A/,  s,  p. 
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(c)  M,s  \=  A(v?  V  0)  iff  for  all  j,  if  (,?  is  not  satisfied  at  s,  for 
any  i  <  j,  then  M,Sj 

y?  is  true  of  M  {M  [=  ^p)  if  for  every  s  6  /,  M,s  |=  ip. 

Later,  we  will  occasionally  have  a  need  for  fixed  point  characteri¬ 
zations  of  the  CTL  operators  [27|.  Suppose  that  S  is  a  finite  set  of 
states  and  that  F  is  a  function  mapping  subsets  of  S  to  subsets  of  S'. 
Also,  assume  that  F  is  monotonic:  if  S\  C  S2,  then  F{S\)  C  F{S2).  A 
fixed  point  of  F  is  a  set  of  states  S\  such  that  S\  =  F{S\).  By  Tarski’s 
theorem  [88],  F  has  unique  least  and  greatest  fixed  points  (under  the 
set  inclusion  ordering).  The  CTL  operators  involving  U  and  V  (and 
hence  F  and  G)  can  be  expressed  as  fixed  points  of  an  appropriate  F. 
Below,  we  assume  that  all  states  in  the  structure  have  successors. 

Consider,  for  example,  a  formula  such  as  A{(p  V  ip).  Let  us  assume 
that  we  know  the  sets  of  states  5,^  and  Sxi,  where  ip  and  ip  are  true, 
respectively.  A  state  will  satisfy  A{p  U  ip)  iff  it  either  satisfies  rp  im¬ 
mediately  (is  an  element  of  5^),  or  if  it  satisfies  p  (is  in  5'^,)  and  all 
of  its  successors  satisfy  A{p  U  ip).  If  we  let  denote  the  states 

satisfying  A{p  U  ip),  then  symbolically  we  have: 

‘^A('^UV')  —  C  {S.^  O  AX 

This  suggests  that  A((,5  U  ip)  can  be  expressed  as  a  fixed  point  of  the 
function 

F(5,)  =  .?,^U(5’^n  AX5,). 

In  fact,  the  set  of  states  satisfying  A{pUip)  is  the  least  fixed  point  of  this 
function.  The  least  fixed  point  can  be  computed  by  starting  with  0  as  an 
initial  approximation  and  then  repeatedly  applying  F.  Eventually  we 
will  reach  stability  since  the  set  of  states  is  finite.  Algorithmically,  we 
begin  with  no  states  that  are  known  to  satisfy  A{p\Jip).  After  applying 
F  once,  we  obtain  S4,  as  our  approximation.  At  each  successive  step, 
any  states  that  satisfy  p  and  whose  successors  are  all  known  to  satisfy 
A{p  U  Ip)  will  be  added  to  the  approximation. 

Similarly,  A{p  V  ip)  is  the  greatest  fixed  point  of  the  function 

F(5,)  =  5^n(5^U  AXF,). 

Fixed  point  characterizations  for  operators  such  as  AG  and  EG  can 
be  derived  by  expressing  the.se  operators  in  terms  of  the  ones  above. 
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2.2  Moore  Machines 

VVe  now  consider  one  clciss  of  systems  that  we  would  like  to  verify:  syn¬ 
chronous  digital  circuits.  Such  a  circuit  consists  of  a  number  of  latches 
or  state-holding  registers,  plus  logic  that  updates  these  latches  based 
on  the  current  state  of  the  system  and  inputs  from  the  environment. 
There  is  a  global  clock,  and  during  each  clock  cycle,  the  values  in  the 
latches  and  the  inputs  are  used  to  drive  the  logic  and  compute  the  next 
state  value  of  the  system.  One  common  model  for  systems  such  as  this 
is  the  Moore  machine  [72].  A  Moore  machine  is  a  kind  of  state  transi¬ 
tion  system  with  distinct  inputs  and  outputs.  During  each  step  of  the 
computation  of  a  .Moore  machine,  the  environment  supplies  an  input, 
the  machine  makes  a  transition,  and,  based  on  the  final  stale,  gives  an 
output.  The  formal  definition  is  as  follows. 

Definition  2.5  A  Moore  machine  M  =  {S,  I ^  Ao>  R,  L)  is  a  tuple 

of  the  following  form: 

1 .  5  is  a  set  of  states. 

2.  /  C  5  is  a  nonempty  set  of  initial  states. 

2.  Ai  is  a  set  of  input  state  components.  Eacli  element  a  of  /!/  has 
a  corresponding  domain  Da  of  possible  values. 

4.  Ao  is  a  set  of  output  state  components.  Each  element  a  of  .4o 
has  a  corresponding  domain  Da  of  possible  values. 

5.  is  a  transition  relation,  relating  a  starting  state  in  5,  a  labeling 
function  over  A/,  and  an  ending  slate  in  S.  For  every  G  S  and 
labeling  function  /  over  A/,  there  must  exist  some  sj  G  S  such 
that  /?(.so, /,  Si  ). 

6.  L  is  a  function  that  takes  a  state  and  an  output  state  component  a 
and  returns  an  element  of  £)„. 

The  sets  of  input  and  output  state  components  must  be  disjoint. 
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Note  that  we  allow  our  Moore  machines  to  be  nondeterministic. 
That  is,  for  one  particular  input,  we  may  have  transitions  to  two  states 
with  the  same  output  labeling.  Synchronous  circuits  are  deterministic, 
but  we  often  want  to  use  nondeterminism  in  modeling.  As  we  will  see 
in  later  examples,  nondeterminism  allows  us  to: 

1.  model  classes  of  circuits  or  incompletely  specified  designs;  and 

2.  hide  internal  state  and  simplify  the  verification  process. 

Example  2.2  The  circuit  shown  in  figure  2.2  is  .^.n  implementation 
of  the  protocol  described  in  example  2.1.  It  consists  of  two  registers, 
r  and  p,  and  has  one  input  a.  The  initial  value  in  the  registers  is 
assumed  to  be  logic  0.  The  Moore  machine  corresponding  to  this  circuit 


H 

OH 

-k>H 

& 

Figure  2.2:  A  handshake  circuit 

is  shown  in  figure  2..3.  The  state  labelings  and  initial  states  are  indicated 
as  in  our  earlier  example.  Conditions  on  the  arcs  are  used  to  give  tlie 
input  conditions  under  which  the  transition  can  be  taken.  □ 

Moore  machines  that  have  disjoint  sets  of  output  state  components 
can  be  composed  in  a  natural  way.  In  a  composition  of  two  Moore 
machines,  each  machine  may  receive  .some  of  its  inputs  from  the  other 
element  of  the  composition  and  some  of  its  inputs  from  the  (a,s  y«'t 
unspecified)  environment.  The  composed  machine  has  as  outputs  all 
of  the  outputs  of  the  components.  Its  inputs  are  all  those  inputs  that 
are  not  tie<|  to  outputs  from  other  corTjponents  during  the  com|)o.sition. 
At  the  circuit  level,  Moore  machine  composition  corresponds  to  wiring 
outputs  from  each  machine  to  appropriate  inputs  of  the  other. 
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a  =  1 


Figure  2.3:  Moore  machine  for  the  circuit  of  figure  2.2 

Example  2.3  The  circuit  shown  in  figure  2.4  is  a  possible  environment 
for  the  circuit  of  example  2.2.  It  receives  requests  via  the  input  r  and 
gives  acknowledgments  using  the  output  a.  It  also  has  an  output  q 
that  becomes  1  when  it  first  produces  an  acknowledgment.  When  we 
compose  the  two  circuits,  the  r  output  of  the  circuit  in  figure  2.2  is  lied 
to  the  input  r  of  the  circuit  in  figure  2.4.  Similarly,  the  output  a  of  the 
circuit  in  figure  2.4  drives  the  a  input  of  the  circuit  in  figure  2.2.  The 
overall  circuit  is  shown  in  figure  2.5.  n 

Definition  2.6  The  composition  of  Moore  machines  M  and  M'  (de¬ 
noted  M  II  M')  is  defined  when  Ao  H  A'q  —  0  and  is  then  the  Moore- 
machine  M"  defined  by: 

1.  S"  =  5.  X  5". 

2.  /"  =  /  X  /'. 

3.  A';  =  iAj-A'o)0(A',-Ao). 

4.  A'q  =  Aq  U  A'q. 
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5.  /2"((5o,s^),/",(a'i,-s'i))  iff  R{so,f,Si)  and  R'{s'o,  where  /  = 

f"  U  (L'(sq)  i  /4/)  and  /'  =  /"  U  (L(so)  1  A'^).  The  idea  here  is  to 
say  that: 

(a)  each  machine  must  take  a  step;  and 

(b)  the  inputs  that  each  machine  sees  are  the  inputs  from  the 
overall  environment  plus  the  outputs  from  the  other  machine 
in  the  composition. 

We  are  using  U  and  j  to  denote  enlarging  and  restricting  the 
domain  of  a  labeling  function.  L'(sq)  j  /!/  is  the  labeling  function 
whose  domain  is  dom(L'(sQ))  fl  At  and  which  agrees  with  L'{s[y) 
on  this  set.  In  other  words,  it  represents  the  outputs  of  M'  that 
M  is  going  to  observe.  /"  U  {L'{sq)  ],  A/)  is  the  labeling  function 
with  domain  c/om(/")U(dom(L'(so))  J.  A/)  that  agrees  with  f"  on 
dom{f")  and  with  L'{sq)  on  dorn(  L'(.s[j))  J.  A/.  Thus,  it  represents 
all  the  inputs  to  M:  those  from  the  external  environment  (/") 
and  those  from  M'  {L'{sq)  J.  A/). 

6.  =  L{s)uV{s'). 

Example  2.4  The  Moore  machine  for  the  circuit  of  figure  2.4  is  shown 
in  figure  2.6.  Composing  this  Moore  machine  with  the  Moore  machine 
of  figure  2.3  yields  the  Moore  machine  shown  in  figure  2.7.  (Here  we  are 
showing  only  the  reachable  states  of  the  composition.)  On  examining 
the  result  of  the  composition,  we  see  that  it  does  in  fact  represent  the 
composite  circuit  (figure  2.5).  □ 


2.3  Moore  Machines  and  CTL 

We  now  have  two  models  of  computation:  structures  and  Moore  ma¬ 
chines.  We  also  have  a  temporal  logic,  CTL,  whose  semantics  are  de¬ 
fined  over  the  former.  In  this  section,  we  consider  the  question  of  how 
to  define  the  semantics  of  CTL  for  Moore  machines.  Recall  our  pre¬ 
vious  circuit  example.  In  our  composed  circuit  (figure  2.5),  there  are 
no  free  inputs.  As  a  result,  the  Moore  machine  for  this  circuit  (fig¬ 
ure  2.7)  looks  very  much  like  a  structure.  Also,  we  have  the  intuition 
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Figure  ‘2.6:  Moore  machine  for  the  circuit  of  figure  2.4 


Figure  2.7:  Composition  of  Moore  machines 
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that  the  behavior  of  the  circuit  cannot  be  altered  by  connecting  it  to 
other  circuits.  Thus,  it  seems  natural  to  define  a  correspondence  be¬ 
tween  Moore  machines  with  no  free  inputs  and  structures.  (In  fact, 
due  to  the  isomorphism  between  such  Moore  machines  and  structures, 
we  will  sometimes  identify  them  for  notational  convenience.)  Then,  we 
will  define  the  semantics  of  CTL  for  these  Moore  machines  by  using 
the  corresponding  structure. 

Definition  2.7  A  Moore  machine  A/  is  called  closed  if  it  has  no  free 
inputs,  i.e.,  if  A/  =  0.  A  closing  environment  for  M  is  a  Moore  ma¬ 
chine  M"  with  Ao  O  Aq  =  0  and  A/  C  Aq.  Thus,  M  and  M"  can  be 
composed,  and  the  result  will  be  closed. 

Definition  2.8  The  structure  A/'  for  the  Moore  machine  M  (denoted 
struct{M))  is  defined  as  follows; 

1.  5'  =  5  X  labeUngs{Ai).  (Recall  that  labelings(A/}  is  the  set  of 
all  labeling  functions  over  A/.) 

2.  /'  =  /  X  labelings(A/). 

3.  R'((5o,/o),(si,/i))  iff  R{so,fo,si). 

4.  A  =  A/  U  Aq. 

5.  L'((s,/),a)  = /(a)  for  a  €  A/.  L'[[s,  J),a)  =  L[s,a)  ior  a  e  Aq. 

In  the  above  definition,  we  actually  assign  a  structure  to  an  arbitrary 
.Moore  machine,  not  just  a  closed  one.  The  reason  for  this  will  become 
clear  later;  for  now,  assume  that  the  Moore  machine  M  above  is  closed. 
Now  we  define  satisfaction  iti  terms  of  stnict{M). 

Definition  2.9  Let  M  he  a  closed  Moore  machine,  atid  let  be  a  CTL 
formula  with  Aq  2  comp((p).  Then  A/  |=  iff  struct{M)  )=  9. 

(Note  that  the  fact  that  a  Moore  machine  is  closed  does  not  mean 
that  it  cannot  be  composed  with  other  Moore  machines.  Given  this, 
there  needs  to  be  some  argument  that  such  compositions  do  not  affect 
the  closed  machine  iti  aiiy  real  way.  For  now,  we  just  state  that  this  is 
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indeed  the  Ccise;  given  a  closed  machine  M,  a  formula  and  a  closing 
environment  M',  we  have  M  \=  (f  M  \\  M'  |=  9.  The  proof  of  this  is 
deferred.) 

Let  us  now  consider  non-closed  Moore  machines.  One  possible  way 
to  define  the  semantics  of  CTL  for  such  machines  is  to  just  assume  that 
the  environment  can  give  ar.y  input  at  any  point.  With  this  assumption, 
we  can  produce  a  structure  for  an  arbitrary  machine  M .  The  idea  will 
be  as  follows:  each  state  of  M  will  be  split  into  a  number  of  structure 
states,  one  for  each  possible  input  that  the  environment  could  give. 
The  transitions  out  of  one  of  the  structure  states  s  are  determined 
by  looking  at  the  Moore  machine  transition  relation  and  seeing  which 
transitions  are  enabled  given  the  particular  input  represented  by  s.  In 
fact,  the  structure  obtained  in  this  way  is  exactly  struct(M)  as  defined 
above.  Now  we  can  again  just  take  A/  |=  iff  struct{M)  ^  ^p.  This  is 
the  approach  that  has  traditionally  been  used  (13,  14]. 

Example  2.5  Consider  the  non-closed  Moore  machine  of  example  2.2. 
This  Moore  machine,  shown  in  figure  2.3,  is  represented  by  the  structure 
given  in  figure  2.1.  Each  state  of  the  Moore  machine  hcis  been  split  into 
two  structure  states,  one  for  the  case  when  a  =  0  and  one  for  the  case 
when  0=1.  □ 

With  this  definition  of  when  a  CTL  formula  is  true  for  a  Moore 
machine,  we  have  that  the  machine  of  figure  2.3  satisfies  the  formula 

AG(r  =  lAp=lAa  =  0— ♦  EXEX(r  =  1  A  p  =  0)). 

.Note,  however,  that  when  we  compose  this  V*;  n'e  machine  with  the  one 
in  figure  2.6  (obtaining  the  Moore  machine  -n  figure  2.7),  the  formula 
ceases  to  hold.  On  the  other  hand,  according  to  this  definition,  the 
machine  of  figure  2.3  also  satisfies 

EF{rt  =  0  A  EX(a  =  0  A  EXrt  =  0)) 

— >  EF(r  =lAp=lAa  =  0A  EX  EX(r  =  1  A  p  =  0)). 

(“If  it  is  jiossible  for  three  a  =  0  inputs  to  occur  in  a  row,  then  it  is  also 
possible  to  pass  through  the  state  rpd  and  to  be  in  one  of  the  states  rpn 
or  rpd  in  two  more  steps.”)  This  formula  in  fact  remains  true  no  matter 
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what  closing  environment  we  use  for  the  machine.  In  order  to  be  able  to 
do  compositional  reasoning,  we  must  have  some  way  of  distinguishing 
between  these  two  situations.  That  is,  we  need  to  be  able  to  tell  when  a 
formula  is  true  of  all  possible  closed  systems  that  we  could  build  using 
a  given  non-closed  machine.  Motivated  by  this  requirement,  we  now 
give  the  definition  of  satisfaction  of  a  formula  that  we  will  use  from  this 
point  on. 


Definition  2.10  Let  A/  be  a  Moore  machine,  and  let  if?  be  a  formula 
with  .4/  U  Ao  2  cornp((p).  We  say  that  M  satisfies  ip  {M  ^  p))  when 
for  every  closing  environment  M'  for  M,  struct{M  ||  M')  |=  p. 


Obviously,  this  is  not  a  definition  that  immediately  suggests  any 
procedure  for  checking  whether  M  \=  p.  The  problem  of  deciding, 
for  a  particular  clciss  of  formulas,  whether  or  not  a  Moore  machine 
satisfies  a  formula  in  that  class  will  be  called  the  compositional  model 
checking  problem  for  the  class.  In  the  remainder  of  this  chapter,  we  first 
show  that  there  is  probably  no  efficient  algorithm  for  the  compositional 
model  checking  problem  for  full  CTL.  However,  we  will  show  that  for 
a  subset  of  the  logic  called  ACTL,  the  problem  is  efficiently  decidable. 
This  result  will  serve  eis  the  basis  for  the  remainder  of  the  thesis:  using 
ACTL,  we  give  methods  for  doing  full  assume-guarantee  style  reasoning 
and  for  using  abstraction  to  simplify  the  verification  process. 

Before  proceeding,  we  must  say  a  word  about  what  we  consider  to 
be  an  efficient  algorithm.  Consider  a  Moore  machine  M  where  A/  is 
a  set  of  input  components  ranging  over  {0,  1}  and  Ao  is  empty.  Also, 
suppose  S  =  I  =  {sq}  and  that  there  is  a  transition  from  sq  to  so 
on  any  input.  The  traditional  model  checking  algorithm  for  CTL  on 
Moore  machines  has  complexity  in  this  case,  even  for  purely 

propositional  formulas.  This  is  precisely  because  each  state  of  .1/  is 
viewed  as  being  represented  by  2*^'*  structure  states.  In  fact,  for  a 
purely  propositional  formula  p,  checking  whether  M  i,?  is  equivalent 
to  checking  whether  is  a  tautology.  Given  this  observation,  we  cannot 
expect  to  obtain  an  algorithm  that  runs  in  time  subexponential  in  |.i/i. 
Thus,  we  will  consider  an  algorithm  that  is  exponential  in  |A/|  but 
polynomial  in  |.S'|,  |/?|,  \p\,  etc.,  to  be  “efficient”. 
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2.4  Compositional  Verification  and  CTL 

In  this  section,  we  consider  the  compositional  model  checking  prob¬ 
lem  for  full  CTL;  given  a  Moore  machine  and  a  CTL  formula,  decide 
whether  the  formula  is  true  of  all  closed  systems  containing  the  Moore 
machine.  We  show  that  there  is  probably  no  efficient  algorithm  to  solve 
it.  More  specifically,  we  prove  that  even  if  M  is  represented  by  its  corre¬ 
sponding  structure  (i.e.,  the  input  is  already  exponential  in  |A/|),  then 
the  compositional  model  checking  problem  for  CTL  is  still  NP-hard. 

The  reduction  will  be  from  3SAT  [34].  Let  /  =  Co  A  Cl  A  ■  •  •  A  Cjn~\ 
be  a  3SAT  formula,  and  let  the  variables  in  /  be  xo,  X\,  ...,  x„_i. 
We  are  going  to  construct  a  Moore  machine  M  that  will  receive  a 
sequence  of  inputs,  one  per  variable  of  /,  denoting  whether  each  variable 
is  true  or  false.  Given  such  a  sequence  of  inputs,  the  terminal  reachable 
states  of  M  will  indicate  whether  each  conjunct  in  /  is  true  or  false  for 
those  particular  variable  values  and  so  tell  whether  /  is  satisfied.  The 
quantification  over  all  closing  environments  is  used  to  quantify  over  all 
possible  input  sequences,  i.e.,  all  valuations  of  the  Xj. 

Conceptually,  the  inputs  to  M  will  take  on  values  from  the  set 

{X0>  •  •  •  »  ^n— 1 1  1  } ■ 

We  encode  these  possible  inputs  using  [log2  2n]  boolean  input  state 
components.  The  input  sequence  representing  the  valuation  for  the 
Xj  will  be  of  the  form  i,  iq,  in-i,  •••,  where  i  is  an  arbitrary 
initialization  input,  ij  is  either  Xj  or  -•Xj,  and  the  inputs  after  in-\  are 
arbitrary.  Conceptually,  the  output  labeling  function  for  each  state  will 
denote  one  of  the  values 

{ nothing,  co,  -<Co, ,  c,„_, ,  --c,,,-! } . 

These  are  encoded  with  flog2(2m  -f  1)]  boolean  outi)ut  state  compo¬ 
nents.  For  clarity,  when  writing  inputs  and  outputs,  we  will  use  the 
conceptual  values  above.  Also,  when  labeling  states  in  a  figure,  we  u.se 
no  label  to  indicate  nothing. 

Let  e.j  denote  either  Xj  or  -’Xj,  an<l  let  -<Cj  be  ->Xj  if  =  Xj  and  Xj 
if  Cj  =  -<Xj.  For  each  conjunct  c*  =  (ejg  V  ej^  V  ej^)  of  /,  we  construct 
a  recognizer  that  will  tell  whether  the  conjunct  is  satisfied.  Assume 
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without  loss  of  generality  that  jo  <  ji  <  j^-  The  recognizer  for  this 
conjunct  is  shown  in  figure  2.8.  Obviously,  given  a  sequence  of  inputs 
as  described  above,  this  recognizer  will  reach  the  state  labeled  Ck  if 
the  conjunct  evaluates  to  true  and  will  reach  the  state  labeled  ->Ck 
otherwise.  Also,  once  it  reaches  either  of  these  states,  it  remains  there 
regardless  of  an}'  further  inputs. 


otherwise  otherwise  otherwise 


Figure  2.8:  Recognizer  Moore  machine  for  a  conjunct 

The  Moore  machine  M  will  consist  of  a  group  of  recognizers,  one 
per  conjunct.  These  recognizers  all  share  their  initial  state,  i.e.,  M  has 
exactly  one  initial  state.  Consider  an  environment  which  supplies  a 
sequence  of  inputs  of  the  form  described  earlier  to  M .  In  this  environ¬ 
ment,  the  state  labeled  -<Ck  is  reachable  iff  the  corresponding  valuation 
of  the  Xj  makes  the  conjunct  Ck  false.  Thus,  the  valuation  represented 
by  the  environment  makes  /  false  iff  for  some  k,  there  exists  a  path 
in  the  composition  of  M  and  the  environment  to  a  state  labeled 
Based  on  this,  it  is  tempting  to  suggest  that  /  is  satisfiable  iff  it  is  not 
the  case  that  every  clo.sed  system  containing  \I  satisfies  the  formula 

(EF  “"Co)  V  (EF  Ti )  V  •  •  •  V  (EF  -'C„,_i ). 

This  is  not  finite  the  ca.se  however,  in  that  any  arbitrary  f'nvirounu'ut 
may  not  behave  as  we  would  like.  For  example,  it  may  never  give  an 
input  signaling  the  truth  value  of  some  particular  Xj,  or  it  may  give 
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an  input  saying  that  Xj  is  true  and  then  later  give  an  input  saying 
that  it  is  false.  One  way  to  try  to  exclude  this  type  of  behavior  would 
be  to  add  a  kind  of  “syntax  checker”  to  Af,  such  as  the  one  shown 
in  figure  ‘2.9  (in  the  figure,  “oio”  denotes  “otherwise”).  However,  this 
leads  to  complications  if  the  environment  nondeterministically  chooses 
different  variable  values  on  different  paths. 


Figure  2.9:  Syntax  checking  Moore  machine 


Instead  of  adding  such  a  checker,  we  modify  our  CTL  formula.  .Af¬ 
ter  one  arbitrary  input,  the  environment  may  either  supply  an  Xq  or  a 
-ixo,  but  it  may  not  output  anything  else,  nor  do  we  want  it  to  non¬ 
deterministically  choose  different  values  on  different  |)aths.  That  is.  it 
must  satisfy 

(AXxo)  V(AX  -xo). 

In  general,  after  j  -F  1  steps,  it  must  supply  a  unicjue  value  for  .Cj,  and 
hence  imist  satisfy 


(AX-'+'x,)  V(AX"+*  -Xj), 
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where  AX^  p  is  an  abbreviation  for 

1 

AX  AX  . . .  AX  p. 

This  leads  us  to  the  desired  result  (the  proof  is  deferred). 

Theorem  2.1  /  is  satishable  iif  it  is  not  the  case  that  every  closed 
system  containing  M  satisfies  the  formula 


n—  1  m  —  1 

A((AX^+'i,)V(AX^+*-i,))--  Vef-q. 

j=0  k=0 

To  complete  the  argument  that  the  compositional  model  checking 
problem  for  CTL  is  NP-hard  even  when  the  Moore  machine  is  given  as  a 
structure,  we  need  to  show  that  the  Moore  machine  constructed  above 
can  be  constructed  in  time  polynomial  in  the  size  of  /.  Obviously  it  will 
be  enough  to  observe  that  the  (structure  for  the)  Moore  machine  has 
size  polynomial  in  the  size  of  /.  The  Moore  machine  has  m  recognizers, 
each  of  which  has  six  (Moore  machine)  states.  The  state  labeling  for 
each  state  uses  (/(logj/n)  bits.  The  input  encoding  is  (^(logjn)  bits 
long,  where  n  is  the  number  of  variables  appearing  in  /.  Hence  when 
we  expand  the  Moore  machine  into  a  structure,  we  get  a  factor  of  u 
increase  in  size.  Overall,  the  number  of  bits  needed  to  represent  the 
states  of  the  Moore  machine  is  0(mnlog2m).  The  number  of  bits 
needed  to  represent  the  transitions  is  at  worst  0(n(mn  logj  m)^). 

Before  moving  on,  we  note  that  we  can  obtain  an  efficient  approx¬ 
imation  algorithm  for  the  compositional  model  checking  problem  for 
full  CTL.  Consider  why  the  compositional  model  checking  problem  for 
CTL  is  difficult.  First,  it  is  generally  not  possible  to  decompose  a  for¬ 
mula  into  subformulas,  check  the  subformtilas,  and  combine  the  results. 
For  example,  consider  checking  EX(a  =  1)  V  EX(n  =  0)  on  a  Moore 
machine  where  a  is  an  input  ranging  over  {0,  1}.  Obviously,  the  for¬ 
mula  as  a  whole  will  be  true  regardless  of  what  the  environment  does. 
However.  EXu  =  I  is  certainly  not  true  for  all  environments,  iu)r  is 
EXrt  =  0.  Thus,  determining  whether  the  two  subformulas  are  true  in 
all  environments  does  not  help  us  solve  the  overall  problem. 


2.4.  COMPOSITIONAL  VERIFICATION  AND  CTL 


41 


A  related  difficultly  arises  in  situations  such  as  the  one  shown  in 
figure  2.10.  Consider  trying  to  determine  whether  EX  EX  6  =  1  is  true 
of  all  systems  containing  the  Moore  machine  shown  in  the  figure.  In  the 
standard  CTL  model  checking  algorithm,  we  would  use  the  truth  value 
for  EX  6  =  1  at  the  two  successors  of  the  initial  states  to  determine 
whether  EX  EX  b  =  I  was  true  at  the  initial  state.  For  this  example, 
there  are  environments  that  make  EX  6  =  1  false  at  the  left  successor 
and  others  that  make  the  formula  false  at  the  right  successor.  However, 
the  overall  formula  is  in  fact  true  in  all  environments.  This  is  because 
no  environment  can  distinguish  between  the  two  successors  based  on 
their  labeling.  Hence,  if  the  environment  supplies  the  input  a  =  I  to 
the  left  successor,  6=1  becomes  true  in  the  next  state.  If  it  supplies 
only  a  =  0,  then  it  must  also  supply  a  =  0  to  the  right  successor,  and 
this  will  again  lead  to  a  state  where  6  is  true.  Thus  we  cannot  just  look 
at  immediate  successors  when  evaluating  temporal  operators. 


Figtire  2.10;  A  noudetcrininistic  Moore  machiuc 

Our  ai)proximation  algorithm  will  be  desigiu'd  to  avoid  th«'S(!  prol)- 
lems.  Given  a  formula  and  a  Moore  machine  M,  the  algorithm  will 
indicate  either: 
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1.  the  formula  is  true  of  all  closed  systems  containing  A/;  or 

2.  the  formula  is  false  of  all  closed  systems  containing  A/;  or 

3.  the  truth  value  of  the  formula  for  all  closed  systems  contain  A/  is 
unknown. 

Our  approximation  algorithm  will  be  efficient,  but  it  will  not  be  able 
to  resolve  all  difficult  situations  such  as  those  discussed  above. 

The  basic  idea  behind  the  algorithm  will  be  to  separate  out  the 
branching  in  the  environment  (input  nondeterminism)  from  the  branch¬ 
ing  in  the  Moore  machine  itself  (internal  nondeterminism).  When 
checking  a  formula  such  as  EXv?  at  a  state,  we  will  see  whether  for 
all  input  choices,  there  exists  an  internal  choice  such  that  we  reach  a 
state  where  must  hold.  The  basic  structure  of  the  algorithm  will  then 
be  similar  to  standard  CTL  model  checking  methods.  We  proceed  in  a 
bottom-up  fashion,  starting  at  the  atomic  subformulas  and  working  our 
way  towards  the  top-level  formula.  Operators  such  as  EF  will  be  eval¬ 
uated  using  fixed  point  techniques.  The  full  approximation  algorithm 
and  a  proof  of  its  correctness  is  deferred  until  the  end  of  the  chapter. 

2.5  ACTL 

In  this  section,  we  show  that  there  is  a  subset  of  CTL,  which  we  call 
ACTL  [30,  52,  60,  85],  for  which  the  compositional  model  checking 
problem  is  efficiently  decidable.  Further,  this  subset  is  sufficiently  ex¬ 
pressive  to  cover  almost  all  of  the  temporal  formulas  that  are  used  as 
specifications  in  practice.  The  basic  idea  behind  ACTL  is  to  eliminate 
the  ability  to  talk  about  the  existence  of  a  path,  i.e.,  the  E  path  quanti¬ 
fier.  Once  the  logic  can  only  talk  about  behavior  over  all  paths,  we  will 
just  need  to  consider  a  single  “maximal”  closing  environment  in  order 
to  solve  the  compositional  model  checking  problem.  Intuitively,  com¬ 
posing  with  any  other  closing  environment  will  eliminate  some  paths, 
and  since  our  formulas  only  talk  about  behavior  over  all  paths,  such 
pruning  will  not  change  a  formula  from  true  to  false.  Furtlu'r,  if  the 
composition  of  the  given  component  with  its  maximal  closing  environ¬ 
ment  does  not  satisfy  the  specified  formula,  then  the  formula  obviously 
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cannot  be  true  of  all  closed  systems  containing  the  component.  VVe  be¬ 
gin  by  formally  defining  ACTL;  in  order  to  ensure  that  E  does  not  arise 
via  duality,  we  require  that  formulas  be  in  a  type  of  negation-normal 
form.  Thus,  negations  can  only  be  applied  to  atomic  formulas. 

Definition  2.11  The  logic  ACTL  over  a  set  of  state  components  A  is 
the  set  of  formulas  given  by  the  following  inductive  definition: 

1.  The  constant  true  is  an  atomic  formula. 

‘2.  For  each  state  component  a  in  A  and  element  d  of  a  —  d  is 
an  atomic  formula. 

3.  If  is  an  atomic  formula,  then  -’v?  is  a  formula. 

4.  If  If  and  (/>  are  formulas,  then  f  Ail>  and  f\l\l>  are  formulcis. 

5.  If  f  and  0  are  formulcus,  then  AXtp,  A(v?  V  0)  and  A(>^U  )/>)  are 
formulas. 

VVe  may  sometimes  write  an  ACTL  property  using  E;  in  these  cases, 
pushing  negations  inwards  using  duality  will  result  in  a  proper  ACTL 
formula. 

ACTL  is  sufficient  to  express  many  interesting  properties.  In  fact, 
almost  all  CTL  specifications  that  are  used  in  practice  are  expressible 
in  ACTL.  Intuitively,  this  is  because  we  generally  want  to  require  that  a 
system  must  behave  correctly,  rather  than  that  it  may  behave  correctly. 
The  most  commonly  used  CTL  properties  that  cannot  be  expressed  in 
ACTL  are  those  describing  weak  progress  requirements.  As  an  exam¬ 
ple.  the  formula  AG  EF  restart  =  1  that  we  mentioned  earlier  is  not 
expressible  in  ACTL. 

VVe  now  show  that  the  compositional  model  checking  problem  for 
ACTL  is  efficiently  decidable.  To  tlo  this,  we  will  prove  that  it  is  enough 
to  consider  the  composition  of  the  component  M  with  the  following 
environment  when  doing  the  model  checking. 

Definition  2.12  The  maximal  closing  environment  for  the  Moore  ma¬ 
chine  M ,  denoted  E{M),  is  the  Moore  machine  M'  defined  as  follows: 
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1.  S'  =  F,  where  F  is  the  set  of  all  labeling  functions  over  ,4/. 

■2.  r  =  F. 

.1  A'l  =  0. 

4.  A'o  =  A,. 

5.  R'{s'^J',s',)  is  identically  true. 

6.  L'{f,a)  =  f{u) 

Example  2.6  The  maximal  closing  environment  for  the  .Moure  ma¬ 
chine  of  figure  2.3  is  shown  in  figure  2.11.  It  has  no  inputs  and  one 
output,  a,  corresponding  to  the  inputs  of  the  Moore  machine  in  the 
earlier  figure.  Composing  the  Moore  machine  of  figure  2.3  with  its 
maximal  environment  gives  the  result  shown  in  figure  2.12.  □ 


Figure  2.11:  The  maximal  closing  environment  for  the  .Moore  machine 
of  figure  2.3 


The  reader  may  think  that  the  state  diagram  in  figure  2.12  looks 
familiar.  In  fact,  it  is  the  same  as  the  one  in  figure  2.1,  which  happens 
to  be  the  structure  for  the  Moore  machine  of  figure  2. .3.  In  g<  ik  ral. 
the  composition  of  the  .Moore  machine  M  together  with  E(.M)  gives  a 
.Moore  machine  that  is  i.somorphic  to  slrnct.{M).  Thus,  when  checking 
whether  striict,(M  ||  E{M))  f=  tp,  we  are  es.sentially  just  checking  that 
st.riicl{M)  1=  p.  This  means  that  doing  the  composition  with  the  max¬ 
imal  closing  environment  does  not  really  increa.se  the  size  of  tlu'  state 
graph  that  we  are  working  with.  We  now  turn  to  the  main  restill  i)f 
this  section. 
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Figure  2.12:  The  composition  of  the  Moore  machine  of  figure  2.3  with 
its  maximal  closing  environment 

Theorem  2.2  Let  M  be  an  arbitrary  Moore  machine,  and  suppose 
that  <.p  is  an  ACTL  formula  with  A/U  Ao  2  comp{ip).  Then  A/  i,?  iff 
iitruct(M  II  E{M))  f= 

The  formal  proof  of  this  is  deferred  until  the  end  of  the  chapter; 
here,  we  just  try  to  give  the  intuition  why  it  is  true.  The  key  idea  is  to 
note  that  if  M'  is  a  closing  environment  for  M ,  then  there  is  a  natural 
mapping  from  states  of  M  ||  M'  to  states  of  M  ||  E{M).  To  see  this, 
consider  a  state  s'  of  M' .  Since  M'  is  a  closing  environment  for  A/, 
the  output  labeling  of  s'  must  give  values  to  all  the  state  components 
in  .4/.  Hence,  we  can  view  .s'  as  giving  rise  to  a  labeling  function 
over  A/.  However,  each  such  labeling  function  is  a  state  of  E{M),  and 
so  for  each  s',  we  have  a  corresponding  state  of  E{M).  Now  a 

state  {s,  .s')  of  A/ 1|  A/'  will  just  be  identified  with  (s,  ■,/) )  bi  .'V/  |(  E{  A/ ). 

Example  2.7  Let  M  be  the  Moore  machine  of  figure  2. .3.  Recall 
that  the  composition  of  M  with  its  maximal  closing  environment  (fig¬ 
ure  2.11)  is  given  by  figure  2.12.  Now  let  M'  be  the  Moore  machine  of 
ligiire  2.().  A/'  is  a  closing  environment  for  A/,  and  the  composition  of 
A/  and  A/'  is  shown  in  figure  2.7.  For  each  state  in  M  )|  A/',  we  can 
obtain  a  corresponding  state  in  M  ||  E{M)  by  dropping  the  labeling  for 
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the  state  component  g.  As  an  example,  the  state  rpaq  in  M  ||  M'  maps 
to  the  state  fpa  in  M  ||  E{M).  □ 

Further,  the  mapping  above  also  has  two  nice  properties; 

1.  initial  states  of  M  |[  A/'  map  to  initial  states  of  M  ||  £(A/);  and 

2.  pairs  of  states,  i.e.,  transitions,  of  M  ||  M'  map  to  transitions 
of  M  II  E{M). 

In  essence,  the  Moore  machine  M  ||  M'  can  be  embedded  in  the  Moore 
machine  M  ||  E{M).  Now  consider  a  formula  of  ACTL.  The  formula 
describes  properties  of  all  paths  from  a  state.  If  such  a  formula  is  false 
at  some  state  in  M  ||  M',  then  we  can  find  some  path  demonstrating 
why  it  is  false.  This  path  is  then  mapped  into  a  corresponding  path 
in  M  II  E{M).  By  using  an  inductive  argument,  we  can  prove  that  this 
path  demonstrates  that  the  corresponding  state  in  M  ||  E[M)  does  not 
satisfy  the  property  either.  This  argument  shows  that  if  we  verify  that 
a  formula  is  true  for  M  ||  E{M),  then  we  know  that  the  formula  holds 
in  all  closed  systems  that  contain  M .  Further,  if  the  formula  is  false  for 
M  II  E{M),  then  obviously  we  have  found  a  closed  system  containing  M 
for  which  the  formula  is  false. 


2.6  Summary 

We  have  considered  the  issues  involved  in  using  the  temporal  logic 
CTL  to  specify  properties  of  systems  of  Moore  machines.  The  desire  to 
do  compositional  reasoning  led  us  to  consider  the  compositional  model 
checking  problem:  given  a  Moore  machine  and  a  formula,  is  the  formula 
true  in  all  closed  systems  that  can  be  built  using  the  Moore  machine. 
We  showed  that  there  is  probably  no  efficient  algorithm  for  solving 
this  problem  in  the  case  of  general  CTL  formulas.  However,  we  also 
proved  that  the  problem  can  be  solved  efficiently  for  the  CTL  subset 
ACTL.  ACTL  will  be  used  in  the  following  chapters  as  the  basis  for 
doing  assume-guarantee  style  reasoning  anil  for  using  abstraction.  The 
remainder  of  this  chapter  is  devoted  to  filling  in  some  of  the  formal 
details  and  proofs  that  were  deferred  earlier. 
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2.7  Technical  Details 

First,  here  is  the  formal  definition  of  comp,  the  function  that  returns 
the  set  of  state  components  that  appear  in  a  formula. 

Definition  2.13  The  set  comp((f)  of  state  components  of  the  for¬ 
mula  is  defined  as  follows; 

1.  comp{true)  =  0. 

2.  comp{a  =  d)  =  {a}. 

3.  comp{-'ip)  =  comp{ip).  compi^p  Aip)  =  comp{ip)  U  comp(tl}). 

4.  comp(AX(p)  =  comp(<p). 
comp(A(<p  U  rp))  =  comp((p)  U  comp{xp). 
comp{A(ip  V  tp))  =  compi^p)  U  comp(\p). 

Now  let  us  go  back  to  the  definition  of  satisfaction  of  a  formula 
by  a  closed  Moore  machine  (definition  2.9).  We  remarked  there  that 
since  closed  Moore  machines  can  still  be  composed  with  other  Moore 
machines,  there  needed  to  be  an  argument  that  such  composition  did 
not  really  affect  the  closed  Moore  machine.  This  notion  will  be  for¬ 
malized  using  a  notion  of  bisimnlation  equivalence  [71]  between  Moore 
machines.  The  basic  idea  will  be  to  show  that  if  we  have  a  closed 
Moore  machine  M ,  and  we  compose  M  with  a  closing  environment  M', 
then  M  and  M  ||  M'  will  be  equivalent.  We  will  then  appeal  to  the 
well-known  result  that  equivalent  structures  satisfy  the  same  CTL  for¬ 
mulas  [16].  There  is  one  detail  that  we  must  take  care  of  first  however: 
M  and  M  ||  M'  will  not  actually  be  directly  comparabl**  since  M  ||  M' 
will  contain  extra  outputs.  Thus,  we  will  need  a  way  to  hide  these 
outputs. 

Definition  2.14  L  et  M  be  a  Moore  machine  and  A  be  a  .set  of  state 
components.  The  result  of  restricting  M  to  A  (denoted  A/  |  /I)  is  the 
Moore  machine  A7'  defined  by: 

1.  5'  =  5. 


2.  r  =  /. 
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3.  A'l  =  Ai  DA. 

4.  A‘o  =  AoO  A. 

5.  R'(so,/\si)  iff  there  exists  f  such  that  /'  =  f  lA  and  R{so, 

6.  L'  is  defined  by  L'{s)  =  L{s)  J,  A. 

While  the  above  definition  makes  it  possible  to  hide  inputs,  in  gen¬ 
eral  we  will  only  be  concerned  with  hiding  output  state  components. 
Hiding  outputs  can  just  be  thought  of  as  “erasing”  part  of  the  output 
labeling  on  each  state  of  the  Moore  machine.  Now  we  give  our  defi¬ 
nition  of  equivalence  between  Moore  machines.  This  is  essentially  the 
standard  notion  of  strong  bisimulation  [71]. 

Definition  2.15  Let  M  and  M'  be  Moore  machines  with  Ai  =  A]  and 
A(j  =  A'q.  C  5  X  5'  is  a  bisimulation  relation  iff  for  every  pair  of 
states  So  and  Sy  such  that  So  *  Sq,  the  following  holds: 

1.  L{so,a)  =  L'{sQ,a)  for  all  a  €  Ao- 

2.  For  all  labeling  functions  /  over  Ai,  if  R{sQ,f,S\),  there  exists  s', 
such  that  R!{3q,  f,s\)  and  Sj  w  s\. 

3.  For  all  labeling  functions  /  over  Ai,  if  R'{sq,  f,s\),  there  exists  S] 
such  that  /?(so,/, Si)  and  Si  Rs  s',. 

Two  states  s  and  s'  are  bisimulation  equivalent  {M,s  ~  M',s')  when¬ 
ever  there  exists  a  bisimuiation  relation  «  such  that  s  R:  s'.  A/  and  M' 
are  bisimulation  equivalent  (A/  s  A/')  whenever  for  every  state  s  6  /, 
there  exists  s'  G  P  such  that  A/,  s  =  A/',  s',  and  conversely,  for  every 
state  s'  G  /',  tliere  exists  s  G  /  such  that  .V/,s  =  A/',  s'. 

Note  that  if  the  Moore  machines  A/  and  A7'  in  the  above  definition 
are  closed,  then  bisimulation  between  the  Moore  machines  corresponds 
exactly  to  bisimulation  between  their  structures  (where  structure  bisim- 
ulati<ui  is  ih'fined  in  the  standard  way).  Next,  we  turn  to  the  proof  that 
composing  a  clo.sed  Moore  machine  with  another  closing  eiwironment 
does  not  affect  the  first  machine. 
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Proposition  2.1  Let  A/  be  a  closed  Moore  machine,  and  M'  be  a 
closing  environment  for  M.  Then  M  =  {M  ||  M')  ],  Ao- 

Proof  Define  M"  =  M  \\  M'  and  M'"  =  A/"i  Aq-  Let  ss  be  defined  by 
s  fts  ("SjS')  for  every  s'  in  S'\  we  show  that  %  is  a  bisimulation  relation. 
If  So  ~  (so,So),  then; 

1.  L"'{{so,s’o))  =  {L{so)  U  L'is'o))  i  Ao  =  L{so). 

2.  Suppose  /?(so,/,  Si);  note  that  dom{f)  =  0.  Since  the  tran¬ 
sition  relation  for  any  Moore  machine  is  total,  there  exists  Sj 
such  that  R! {s'q.,  L{sq)  J,  i4;,s'i).  Now  by  the  definition  of  Moore 
machine  composition,  /?"((so,So),/, (si,Sj)).  This  implies  that 
(so,So)  and  (si,Sj)  are  also  related  via  R'".  By  our  definition 
of  «,  Si  «  (si,Sj). 

3.  Suppose  R'"{{so,s'q),  f,{si,s'^)y,  again  note  that  ciom{f)  =  0. 
Then  /?"((so,So),/,  {si,s',)).  Now  by  the  definition  of  Moore  ma¬ 
chine  composition,  /?{so, /, Si),  and  we  have  si  «  (si,Sj). 

Moore  machines  must  have  non-empty  initial  state  sets,  so  there  must 
be  some  s'  €  /'.  Now  if  s  €  /,  then  (s,s')  €  /”  and  {s,s')  G  I'".  Also, 
every  (s,s')  G  I'"  is  related  by  ss  to  s  G  /.  Thus  M  =  M'".  □ 

Because  of  the  isomorphism  between  closed  Moore  machines  and 
structures  and  the  relation  between  closed  Moore  machine  bisimulation 
and  structure  bisimulation,  we  find  that  struct{M)  and  struct{M  || 
.V/')  must  be  bisimilar.  This  implies  that  they  satisfy  the  same  CTL 
formulas,  which  is  the  desired  result. 

Next,  we  give  the  proof  of  theorem  2.1  (NP-hardness  of  the  compo¬ 
sitional  model  checking  problem  for  full  CTL).  We  will  not  repeat  the 
details  of  the  construction  here  (the  reader  may  wish  to  look  back  over 
.section  2.4). 

Proof  Assume  that  every  clo.sed  system  containing  M  satisfies  the  for¬ 
mula.  Then  in  particular,  the  composition  of  A/  with  an  environment 
of  the  form  shown  in  figure  2.13  must  satisfy  the  formula.  Such  an  en¬ 
vironment  represents  a  particular  valuation  of  the  variables  in  /.  The 
composition  of  M  and  this  environment  obviously  satisfies  the  left  side 
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of  the  implication,  so  EF  ->Ck  must  also  be  true.  This  implies  that 
some  conjunct  in  /  is  false  for  the  valuation  under  consideration.  Since 
this  valuation  was  chosen  arbitrarily,  we  conclude  that  /  is  unsatish- 
able. 


Figure  2.13:  Environment  representing  a  valuation 

Assume  that  it  is  not  the  case  that  every  closed  system  containing 
A'/  satisfies  the  formula.  Let  M'  be  a  closing  environment  for  M  for 
which  the  formula  is  false.  Consider  a  run  of  M  ||  M'.  Let  i,  iq,  ,  i„_i 
be  the  first  n  +  1  inputs  supplied  to  M  by  M'.  For  the  formula  to  be 
false, 

A((AX'+' X,)  V  (AX'+'  -X,)) 

3=0 

must  be  true.  Hence  ij  must  be  either  Xj  or  -<Xj.  Consider  applying 
this  sequence  of  inputs  to  the  recognizer  for  Ck-  Since 

m— 1 

V  EF-Cfc 

k=0 

must  be  false,  this  sequence  of  inputs  must  lead  to  the  state  of  the 
recognizer  labeled  with  c*,  i.e.,  c*  must  be  true  for  the  valuation  repre¬ 
sented  by  this  sequence  of  inputs.  But  since  this  is  true  for  an  arbitrary 
Ck,  this  valuation  must  in  fact  be  a  satisfying  valuation  for  /.  □ 

We  now  give  the  details  of  the  approximation  algorithm  for  solving 
the  compositional  model  checking  problem  for  CTL.  Given  a  Moore 
machine  M,  a  state  s  of  M,  and  a  CTL  formula  9,  let  M,  s  ^  denote 
that:  for  every  closed  system  containing  M ,  every  composite  state  in 
which  M  is  at  .s  satisfies  <p.  This  is  analogous  to  what  it  means  for 
M  to  satisfy  1^,  but  we  only  consider  a  spi'cific  state  of  .M .  L('t  /  bt* 
a  labeling  function  over  /4/;  M,s,f  [=  will  be  similar  to  A/,.s  |=  ‘.p. 
except  that  we  only  consider  composite  states  where  M  is  at  s  and 
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the  input  supplied  to  M  is  /.  For  example,  suppose  M  is  the  Moore 
machine  of  figure  2.10  and  let  s  be  the  state  just  to  the  left  of  and 
below  the  initial  state.  Then  M,s,f  ^  EX  6  =  1  when  f{a)  =  1.  The 
algorithm  will  record,  for  each  subformula  (p  and  each  state  s  of  M,  a 
set  of  /  such  that  M,s,f  p  and  a  set  of  /  such  that  M,s,f  f=  -'ip. 
(Since  we  are  only  computing  an  approximation,  the  sets  might  not 
include  all  /  satisfying  these  conditions.) 

For  atomic  formulas  these  sets  are  computed  in  the  obvious  way. 
Similarly,  the  sets  a  formula  like  ipAip  can  be  computed  in  a  straightfor¬ 
ward  manner  from  the  sets  for  ip  and  The  only  interesting  question  is 
how  to  compute  the  sets  for  EXy?  from  the  sets  for  ip.  Consider  apply¬ 
ing  the  input  /  at  state  s.  Suppose  that  given  this  input,  s  has  succes¬ 
sors  So,  ... ,  Sn_i .  Also  suppose  that  for  one  of  the  s,.  A/, Si,  f'\=ip  for 
all  possible  /'.  Then  clearly  M,s,f  )=  EX(^.  More  generally,  suppose 
that  some  of  the  Si,  say  sq  and  sj,  have  the  same  output  labeling.  In  this 
case,  the  environment  cannot  distinguish  between  sq  and  si  and  hence 
must  supply  the  same  inputs  to  both.  Thus  we  have  M,s,f  )=  EXi^  if 
for  every  /',  either  M, so,/'  ^  or  M,Si,/'  )=  We  take  the  union 
of  the  sets  of  valuations  for  which  ip  is  known  to  be  true  at  so  and  S) 
and  see  whether  this  is  the  set  of  all  input  valuations.  In  summary,  our 
strategy  for  deciding  whether  A/,  s,  /  )=  EX  ip  is  to  look  at  the  succes¬ 
sors  of  s  under  /,  group  them  into  classes  according  to  their  output 
labeling,  and  take  the  union  of  the  sets  for  which  ip  is  true  within  each 
class.  If  for  any  class,  the  result  is  the  set  of  all  input  valuations,  then 
we  know  A/,s,/  |=  ip.  (Note  we  are  actually  doing  some  work  to  try  to 
resolve  situations  involving  nondeterministic  transitions.  However,  we 
are  bounding  the  amount  of  “lookahead”  that  we  are  willing  to  do  to 
just  one  level  of  successors.)  Now  consider  ->EXip.  This  formula  must 
be  true  at  s  if  for  every  successor  Sj,  ip  is  known  to  be  false  at  s,  for 
every  input  valuation,  i.e.,  )=  -‘ip  for  all  s,  and  /'. 

We  will  let  .S'j  denote  the  set  of  input  valuations  /  for  which  we 
know  that  vV/,.s,/  ^  p.  Also,  will  denote  the  set  of  input  valua¬ 
tions  /  for  which  we  know  M,s,J  \=  ->p.  In  figures  2.14  through  2.16, 
we  give  the  algorithm  for  computing  and  for  all  states  ,s 
and  subformulas  p.  We  have  omitted  the  description  of  the  proce¬ 
dure  compiiteegsetH  since  it  is  similar  to  computeeusets  except  using 
the  fixed  point  characterization  of  EG,  Also,  all  the  a.ssignments  of  the 
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form  5,,^  .  and  T,,^  :=  . . .  include  an  implicit  loop  over  all  states  s 

oIM. 


procedure  computesets{(p) 


\I  tp  =  {a  =  d) 

:={f\{L{s)Uf){a)  =  d} 
:={/|(L(3)U/)(a)^d} 
else  if  p  =  (-'0) 

computesets{rlf) 

Ss,ifi  •=  T,^,i, 

Tj.^  := 

else  if  V?  =  (V’o  ^  0i) 
computesets{‘tl)o) 
coTnputesets{xpi) 


:=  T»,V<o  '-J 


else  if  =  (EXt^) 
computeexstts{rl^) 
else  if  9  =  (E(V'o  U  ^i)) 
comp«feetts€ts(0o»  V'l ) 
else  \I  p  =  (EG  t/>) 
computeegsets{rl;) 
eiidif 


Figure  2.14:  Approximation  algorithm  for  the  compositional  model 
checking  problem  for  CTL 

To  show  correctness,  we  have  the  following. 

Proposition  2.2  For  alt  subfonnulas  p  and  all  states  s  and  input  val¬ 
uations  /,  we  have: 

1.  if  /  G  S,  t,h«*n  M,s,f  }=  p;  an<l 

2.  if  /  G  T,,^,  then  M,s,/  ^  ->p. 
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function  ex{s,ifi) 
result  :=  0 

for  each  input  valuation  / 

for  each  class  C  of  successors  of  s  under  / 
with  identical  output  labelings 

if  Uj'ec  includes  all  input  labeling  functions 
result  :=  result  U  {/} 
endif 
endfor 
endfor 
return  result 

function  ai(s,v?) 
result  :=  0 

for  each  input  valuation  / 

if  for  every  successor  s'  of  s  under  /, 

includes  all  input  labeling  functions 
result  :=  result  U  {/} 
endif 
endfor 
return  result 

procedure  computeexsets{tf) 
computesets{ip) 

Ss.EX^  ■= 

T,,eX^  ■= 

Figure  2.15:  Procedure  for  computing  S  and  T  for  EX 


54 


CHAPTER  2.  COMPOSITIONAL  VERIFICATION,  PART  I 


procedure  computeeusets{ipyx(f) 

computesets{(p) 

computes€ls{tl)) 

S,,Y  :=  0 

repeat 

St,Y  :=  Ss,4,  U  {Ss,v  n  ex{s,  Y)) 
until  fixed  point 
‘^»,E(ipUV’)  •  ^s,y 

set  Tj.y  to  the  set  of  all  input  valuations 
repeat 

Ts,y  :=  Ts.^  n  (T,.^  U  ai(s,  K)) 
until  fixed  point 
•“  '^s,Y 

Figure  2.16:  Procedure  for  computing  S  and  T  for  E(i^  U  i/’) 

Proof  By  induction  on  the  structure  of  the  subformula.  For  atomic 
subformulas,  the  result  is  trivial,  and  for  subformulas  whose  top  oper¬ 
ator  is  a  logical  connective,  the  result  follows  in  a  straightforward  way 
from  the  induction  hypothesis. 

Consider  a  subformula  EXv?;  suppose  /  6  5',,eXvj-  Then  there 
exists  a  group  so,  . . . ,  of  successors  of  s  under  /  such  that  L{^i)  = 
L{sj)  for  all  i  and  j  and  such  that  is  the  universal  set  of  input 

labeling  functions.  Consider  any  closing  environment  that  presents  / 
to  M  at  the  state  s.  M  will  be  able  to  make  transitions  to  all  of 
the  Si,  and  if  the  environment  presents  an  input  /'  to  one  s^,  it  must 
present  that  same  input  to  all.  But  for  any  such  /',  there  exists  an  i 
such  that  f  €  By  the  induction  hypothesis,  A/,s,, /'  |=  so 

in  the  environment  that  we  are  considering,  ^  will  be  satisfied  starting 
at  s,.  Hence,  given  the  input  /,  s  will  hcive  a  successor  satisfying 
i.e.,  .V/,s,/  1=  EXc^J. 

Suppose  now  that  /  €  every  succe.ssor  s'  of  s  under  /, 

7',/,^.,  is  tli<>  .set  <jf  all  input  valuations.  By  the  iiuluction  hyi)uthesis. 
.V/,s',/'  \=  --v?  for  every  /'.  Thus,  givcni  the  input  /,  must  be  false 
regardless  of  the  closing  environment.  Hence  M,s,f  ^  -•EX:,?. 
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Next,  we  consider  subformulas  of  the  form  E(v?U  ^).  Assume  that 
/  €  5,,E(v>U^))  and  fix  a  closing  environment  for  M  that  supplies  /  at  s. 
Since  /  6  there  is  some  iterate  of  5,,v,  say  containing 

/.  Assume  without  loss  of  generality  that  i  is  chosen  to  be  as  small 
as  possible.  We  prove  by  induction  on  i  that  M,s,f  f=  £((/?  U  V’)-  If 
i  =  1,  then  we  must  have  /  €  S^,^-  By  the  outer  induction  hypothesis, 
M,s,f  f=  Tp,  and  hence  M,s,f  |=  E((^  U  i/>).  For  i  >  1,  we  have 
/  €  S'j,^  (so  M,s,f  ^  1^).  Further,  given  /,  s  must  have  a  class  of 
successors  soi  •  •  • ,  -Sn-i  such  that  all  Sj  have  the  same  labeling  and  for 
each  /',  /'  €  for  some  j.  By  the  inner  induction  hypothesis, 

N  E(i^  U  ^).  This  implies  M,3,f  EX  E(i^  U  ^).  As  a 
result,  M,s,f  ^  E{^p  U  0). 

Suppose  /  G  *"^1  again  fix  a  closing  environment  that 

supplies  /  at  s.  Consider  the  iterates  TsX*  for  *  >  0-  prove  via 
induction  on  i  that  if  /  €  T^y^i  then  there  is  no  path  starting  at  s 
and  beginning  with  the  input  /  satisfying  tpU  ^  and  such  that  a  state 
satisfying  tp  is  reached  within  i  —  1  steps.  For  i  =  1,  we  have  /  €  T^.^, 
and  so  by  the  outer  induction  hypothesis,  M,s,f  [=  -'ip.  For  i  >  1, 
assume  we  have  a  path  satisfying  ^plJ  tp.  We  know  /  €  T,^^,  so  again 
tp  cannot  be  true  immediately.  Thus,  since  the  path  satisfies  iplJ  tp/tt 
must  satisfy  tp  at  s.  This  implies  /  ^  so  for  every  successor  of  s 
under  /,  and  for  the  successor  s'  on  the  path  in  particular,  Ts>y.t-\  is 
the  universal  set  of  input  valuations.  Now  by  the  induction  hypothesis, 
there  is  no  path  starting  at  s'  satisfying  tpU  tp  and  such  that  a  state 
satisfying  tp  is  reached  within  i  —  2  steps.  Hence,  tp  is  not  reached  in 
i  —  1  steps  on  the  original  path.  Now  suppose  that  there  is  in  fact  a 
path  satisfying  p\J  tp  from  s  and  beginning  with  the  input  /.  Since  tp 
must  become  true  at  some  point  on  this  path,  /  must  not  be  in  T,y^i 
for  sufficiently  large  i.  But  this  implies  /  ^  T,,E(^UV')7  ^  contraction. 
Hence  there  is  no  such  path,  and  so  M,s,/  ->  £(1^  U  tp). 

The  proof  for  subformulas  of  the  form  EG 9  is  similar  in  spirit  to 
the  above  and  is  omitted.  □ 

Our  final  proof  is  of  theorem  2.2  (that  it  is  enough  to  check  ACTL 
formul.'is  just  using  the  maximal  closing  environment.) 

Proof  Let  M'  be  a  closing  environment  for  M.  Then  we  know  that 
Ao  2  ^/-  This  implies  that  for  state  s'  of  M',  we  can  derive  a  unique 
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labeling  function  over  .  hy  U{s')lAi.  Now  each  such  labeling  function 
is  a  state  of  E{M),  so  ti.  map  <i>  defined  by  4>{s')  =  L'{s')  ],  Ai  maps 
states  of  M*  to  states  of  M.  We  can  extend  this  to  a  map  from  states 
of  M  II  M'  to  states  of  A/  ||  E{M)  by  having  s'))  =  (s,  i^'(^')  i  Ai). 
Now: 

1.  If  (s,s')  is  an  initial  state  of  M  ||  A/',  then  s  €  and  so  <p((s,s')) 
is  an  initial  state  of  M  ||  E{M). 

2.  If  (^oi'Sq)  can  make  a  transition  to  (si,Sj)  in  M  ||  A/'  (remember 
there  are  no  free  inputs),  then  R{so,  L'[s'q)  J,  Ai,Si).  This  implies 
that  <^((5o,5o))  can  make  a  transition  to  0({si,s', ))  in  M  ||  E{M). 
Hence,  every  path  in  M  ||  M'  has  a  corresponding  path  in  M  (| 
E[M). 

Since  Moore  machines  with  no  free  inputs  are  isomorphic  to  their  cor¬ 
responding  structures,  we  will  ignore  the  distinction  for  the  remainder 
of  this  proof. 

We  now  prove  by  induction  on  the  structure  of  ACTL  formulas  that 
if  A/  II  E{M),  (l>{{s,  s'))  f=  9,  then  M  ||  A/',  (s,  s')  |=  (p. 

1.  For  true,  we  trivially  have  ^((s,s'))  ^  true  and  {s,s')  ^  true. 

2.  Consider  the  atomic  formula  a  =  d.  Assume  a  €  Aq',  then 
<?i>{(s,s'))  =  (s,L'{s')  I  Ai),  so  0((s,s'))  |=  (a  =  d)  iff  L{s,a)  =  </. 
However,  (s,s')  [=  (a  =  d)  iff  L{s,a)  =  d  as  well.  If  a  G  .A/,  then 
(t>{{s,s'))  \=  {a  =  d)  iff  (L'{s')  i  /ty)(a)  =  d  iff  L'(s',a)  =  d  iff 
(s,s')  )=  (a  =  d). 

3.  For  negations  of  atomic  formulas,  just  note  that  in  the  above  two 
ra.ses,  we  showed  iff’s  rather  than  simple  implication. 

4.  For  conjunctions  and  disjunctions,  the  result  follows  immediately 
from  the  induction  hypothesis. 

5.  Consider  a  formula  of  the  formula  A{ip  U  i/>).  Assume  (^((.s,.s')) 
satisfies  this  formula.  Let  (.so,-'*o)(si,s', ) . . .  be  a  path  in.  A/  ||  A/' 
from  (s,s')  =  (so, Sq).  Assume  that  this  path  does  not  satisfy 
ip\J  xj}.  Then  there  exists  j  such  that  (sj,s'  )  does  not  satisfy  ip, 
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and  for  all  i  <  j,  a'J  does  not  satisfy  0.  By  the  {contrapositive 
of  the)  induction  hypothesis,  ip  and  ^((.s,,  5'))  ^ 

for  all  i  <  j.  However,  ^((so,So))0{(si,s',)) . . .  is  a  path  in  M  || 
E[M).  This  path  does  not  satisfy  9  U  and  so  <£)((so,Sq))  = 
0((s,s'))  does  not  satisfy  A(i^  U  0),  a  contradiction.  Thus  the 
path  (so,  •  •  •  must  in  fact  satisfy  p  U  However,  this 

path  was  chosen  arbitrarily,  and  so  (s,s')  )=  A((^Ui/)).  The  proof 
for  the  other  temporal  operators  is  similar. 

Now  we  have  shown  that  4>{{s,s'))  ^  p  implies  that  (s,s')  )=  p. 
If  M  II  M'  ^  9,  then  there  is  an  initial  state  (s,  s')  of  M  ||  M'  such 
that  (s,s')  ^  p.  By  the  above,  <^((s,s'))  p.  But  <f>{{s,s*))  is  also  an 
initial  state,  and  so  M  (|  E{M)  ^  p.  Taking  the  contrapositive  gives 
that  M  \\  E{M)  ^  (,3  implies  M  ||  M'  f=  p.  Since  M'  was  an  arbitrary 
closing  environment,  we  conclude  that  if  M  ||  E{M)  \=  p,  then  M  ^  p. 
Finally,  if  M  |(  E(M)  ^  p,  then  there  is  a  closed  system  containing  AI 
that  does  not  satisfy  p,  and  so  M  ^  p.  □ 


Chapter  3 


Compositional  Verification, 
Part  II 


In  the  previous  chapter,  we  considered  the  problem  of  determining 
whether  a  temporal  logic  formula  is  true  of  all  closed  systems  that 
can  be  built  using  a  component  M .  In  practice  however,  we  need  more 
powerful  capabilities: 

1.  We  need  to  be  able  to  do  assume-guarantee  style  reasoning.  Com¬ 
ponents  are  generally  designed  with  some  eissumptions  about  how 
their  environment  will  behave.  Thus,  we  want  to  check  that:  for 
all  closing  environments,  either  the  environment  violates  some 
assumption,  or  the  composition  of  M  with  the  environment  is 
guaranteed  to  satisfy  ip. 

2.  We  need  methods  of  doing  hierarchical  verification.  In  hierar¬ 
chical  verification,  the  specifications  that  we  check  become  im¬ 
plementations  at  the  next  higher  level  of  abstraction.  When  our 
specifications  are  given  as  formulas  and  our  components  are  given 
as  state  transition  systems,  it  is  not  obvious  how  this  can  be 
achieved. 

Consider,  for  example,  a  pair  of  components  M  and  M'  that  work 
together  to  [Jiovide  a  service  to  a  larger  environment.  The  (“nvironment 
passes  requests  to  M,  and  M  enqueues  them.  A/'  removes  requests 
from  the  queue,  processes  them,  and  .sends  acknowledgments  back  to 


60  CHAPTER  3.  COMPOSITIONAL  VERIFICATION,  PART  II 


the  environment.  Suppose  that  we  wish  to  verify  that  every  request 
that  the  environment  makes  is  eventually  acknowledged.  We  may  try 
to  deduce  this  by  verifying  that: 

1.  every  request  that  M  receives  is  eventually  enqueued;  and 

2.  every  request  that  is  put  on  the  queue  is  eventually  processed  and 
acknowledged  by  A/^ 

The  first  property  above  is  essentially  a  local  property  of  M ,  while  the 
second  is  a  local  property  of  ML  Thus,  we  might  try  to  check  the  prop¬ 
erties  using  just  M  and  just  M',  respectively.  However,  if  M  and  M' 
have  been  designed  with  some  assumptions  about  the  protocol  used  to 
access  the  queue,  then  we  may  find  that  the  “local”  properties  really 
depend  on  these  assumptions.  When  doing  the  verification,  we  must 
take  these  assumptions  into  account.  (Of  course,  we  must  also  dis¬ 
charge  the  assumptions  by  showing  that  A/  and  M'  follow  the  intended 
protocol.)  Suppose  that  we  do  manage  to  verify  that  every  request 
made  by  the  environment  is  eventually  acknowledged,  and  that  we  now 
want  to  prove  a  global  progress  property  about  the  whole  system.  This 
progress  property  may  depend  on  the  fact  that  M  and  M'  eventually 
service  requests.  However,  it  probably  does  not  depend  on  the  details 
of  how  this  is  accomplished.  Thus,  instead  of  using  M  and  M'  when 
doing  the  verification,  we  would  like  to  use  the  first  property  that  we 
checked  as  an  alternative  “implementation”  to  M  ||  A/'. 

In  this  chapter,  we  show  how  to  do  assume- guarantee  style  reasoning 
and  hierarchical  verification  using  ACTL.  This  is  achieved  by  proving 
a  correspondence  between  satisfaction  of  ACTL  formulas  and  a  type  of 
simulation  relation  between  structures.  We  also  illustrate  these  ideas 
by  verifying  the  controller  for  a  simple  stack-based  CPU. 


3.1  Assume- Guarantee  Reasoning 

The  assumc-yunrantee  style  of  verification  was  first  atlvocated  in  (he 
cont('xt  of  temporal  logic  by  Pnueli  [77].  In  Pnueli’s  system,  we  work 
with  triples  of  the  form  The  most  common  reading  of  such 
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a  triple  is  “if  the  environment  of  M  satisfies  ip,  then  M  in  this  environ¬ 
ment  satisfies  0.”  A  typicaJ  chain  of  reasoning  would  be  as  follows: 

{)M{ip) 

(v?)A/'(0) 

{)M  II  M'{0). 

Here,  we  are  asserting  that  if: 

1.  M  satisfies  tp;  and 

2.  if  the  environment  of  M'  satisfies  tp,  then  M'  satisfies  0 

then  the  composition  of  M  and  A/'  will  satisfy  0.  The  advantage  of 
doing  the  verification  in  this  manner  is  that  we  never  have  to  exam¬ 
ine  the  composite  state  space  of  M  ||  M'.  Instead,  we  check  ip  using 
just  M,  and  then  check  0  using  only  A/'  and  the  (hopefully  simple) 
assumption  p.  The  disadvantage  is  that  the  user  must  determine  an 
appropriate  p.  As  we  shall  demonstrate  later  however,  knowledge  of 
how  the  system  should  behave  plus  feedback  from  an  automatic  verifier 
makes  this  feasible  in  practice. 

More  generally,  we  may  use  multiple  levels  of  assumptions  and  guar¬ 
antees  when  doing  a  verification.  That  is,  once  we  have  proved  a  guar¬ 
antee,  we  may  use  that  guarantee  as  an  assumption  in  later  stages. 
Because  of  this,  a  somewhat  more  precise  reading  of  {p)M{y’)  would 
be  “if  the  system  satisfies  p  and  contains  M,  then  the  system  also  sat¬ 
isfies  0.”  This  is  because  p  may  in  fact  be  something  that  is  derived 
based  on  earlier  assumptions  about  M ,  and  may  reflect  these  assump¬ 
tions.  Also,  0  may  describe  the  combination  of  A/  aTid  its  environment, 
instead  of  just  A/.  Of  course,  in  order  to  avoid  erroneous  conclusions, 
all  chains  of  deduction  must  be  well-founded,  i.e.,  the  base  assump¬ 
tions  must  themselves  be  proved  without  any  assumptions.  There  is 
a  natural  temptation  to  argue  that  {p}M{il’)  and  {rl>)M'{p)  should  he 
sufficient  to  conclude  ()A/  ||  M'{p)  and  ()A/  ||  A/'(0’),  but  such  circular 
reasoning  is  generally  not  sound. 

Example  3.1  Consith'r  the  Moore  machine  for  the  circuit  t)f  figure  2.2. 
For  convenience,  the  Moore  machine  is  reproduced  in  figure  3.1;  we  will 
call  it  M.  Asstime  that  we  wish  to  prove  that  the  composition  of  A/ 
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a  =  1 


Figure  3.1:  Moore  machine  for  the  circuit  of  figure  2.2 


r  =  0 


Figure  3.2:  Moore  machine  for  the  circuit  of  figure  2.4 
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with  the  Moore  machine  M'  of  figure  3.2  (representing  the  circuit  of 
figure  2.4)  satisfies  the  specification  AG(p  =  0  V  q  =  0).  We  can  see 
that  this  should  be  true  since; 

1.  M  only  sets  p  =  1  at  the  same  instant  that  it  first  sets  r  =  1;  and 

2.  M'  sets  9  =  0  when  it  observes  r  =  0,  and  does  not  set  9  =  I 
until  one  step  after  it  observes  r  =  1. 

So,  when  r  first  changes  from  0  to  1 ,  p  does  so  simultaneously.  At  that 
point,  9  is  still  0,  since  the  change  in  r  has  not  been  observed  yet.  One 
step  later,  p  changes  back  to  0,  while  9  observes  the  change  in  r  and 
transitions  to  1. 

We  can  verify  the  specification  using  assume-guarantee  style  rea¬ 
soning  ^ls  follows.  First,  we  express  the  above  assumption  about  M': 
AG(r  =  0  — ►  AX  9  =  0).  Next,  we  check  that  M'  in  fact  satisfies 
this  assumption.  Finally  we  use  this  assumption  to  show  that  M  sat¬ 
isfies  the  desired  specification,  and  conclude  that  M  |)  M'  satisfies  the 
specification. 

()A/'(AG(r  =  0  AX9  =  0)) 

(AG(r  =  0  ->  AX9  =  0))M(AG(p  =  0  V  9  =  0)) 

{)M  II  A/'(AG(p  =  0  V  9  0)) 

In  the  next  section,  we  will  consider  how  we  actually  go  about  estab¬ 
lishing  the  truth  of  a  triple  {^)M (0).  □ 


3.2  Framework 

In  this  section,  we  describe  the  bcisic  framework  for  supporting  assume- 
guarantee  style  reasoning.  (We  presented  this  framework  in  1991  [52]). 
To  provide  a  unified  basis  for  doing  assume-guarantee  style  reiisoning 
aiid  compositional  verification,  we  are  going  to  introduce  a  notion  of 
.emulation  between  state  transition  systems.  Int\iitively,  the  simula¬ 
tion  relation  ■<  will  capture  the  notion  of  what  it  means  for  one  such 
system  to  include  "Tuore  behaviors”  than  aiiother.  This  notion  is  in 
fact  implicit  in  the  section  on  ACTL  in  the  previous  chapter.  There 
we  showed  that  checking  M  ]=  ip,  where  A/  is  a  Moore  machine,  could 
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be  done  by  composing  M  with  its  maximal  environment.  In  a  sense, 
the  maximal  environment,  which  can  provide  any  input  at  any  point, 
hcis  more  behaviors  than  any  ocher  environment.  Put  another  way,  the 
maximal  environment  can  simulate  any  other  environment;  our  proof 
of  theorem  2.2  was  based  on  this  idea. 

The  relation  ■;<  will  be  a  preorder,  i.e.,  a  reflexive  and  transitive 
relation.  We  could  in  fact  view  simulation  as  the  basic  relationship 
between  an  implementation  and  a  specification.  Because  of  the  tran¬ 
sitivity  of  ■<,  we  would  get  hierarchical  verification  essentially  for  free. 
For  example,  if  M  M'  (“M'  can  simulate  A/”),  and  if  we  want 
to  know  whether  M  ■<  M",  then  it  would  be  enough  to  check  that 
M'  ■<  M".  Here,  M'  would  represent  a  specification  of  M  that  is  used 
to  prove  a  higher  level  specification  M".  The  simulation  relation  will 
also  interact  with  composition  in  a  nice  way:  il  M  :<  then  we  will 
have  M  II  M"  ■<  M'  ||  M".  This  type  of  property  allows  us  to  replace 
an  implementation  by  its  specification  in  a  composition.  It  also  gives 
us  the  analog  of  theorem  2.2;  if  we  want  to  check  M  ||  A/'  ^  A/",  where 
M"  is  conceptually  a  local  property  of  A/,  then  we  can  use  a  maximal 
environment  E(M)  for  M.  That  is,  we  will  have  M'  ■<  E{M),  and  so 
A/  II  A/'  M  \\  E[M).  Then  by  checking  M  ||  E{M)  <  M",  we  can  use 
transitivity  to  conclude  M  ||  M'  •<  M". 

Previously,  we  had  one  notion  of  satisfaction  of  a  temporal  logic 
specification  (^)-  Above,  we  have  suggested  a  notion  of  satisfaction 
of  an  automata  specification  (;:<).  We  would  like  to  have  some  cor¬ 
respondence  between  these  two  notions.  This  is  done  via  a  tableau 
construction  that  maps  a  formula  tp  to  an  associated  state  transition 
system  T{(p)  which  is  called  the  tableau  of  the  formula.  We  will  prove 
that  satisfaction  of  a  formula  corresponds  exactly  to  being  simulated 
by  the  tableau  for  the  formula.  Thus,  <  and  f=  will  really  turn  out 
to  be  compatible  notions.  Further,  the  tableau  construction  makes  it 
clear  how  to  do  hierarchical  rea.soning  with  specifications  that  are  given 
as  formulas.  We  simply  u.se  the  standard  model  checking  algorithm  at 
o  level,  then  construct  tableaus  for  the  specification  formulas  anti 
use  them  as  implementations  at  the  next  higher  level.  The  taldeau 
construction  can  also  be  used  for  doing  things  like  checking  implication 
between  temporal  formulas.  Viewed  another  way,  the  correspondence 
between  state  transition  systems  and  formulas  allows  us  to  mix  and 
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match,  using  either  formulas  or  automata  as  either  implementations  or 
specifications,  whichever  is  most  convenient. 

Finally,  with  the  above  framework,  it  is  easy  to  do  assume-guarantee 
style  reasoning.  The  key  observation  is  that  an  assumption  (specified, 
e.g.,  as  a  formula  <p)  represents  the  maximal  environment  that  satisfies 
that  assumption.  Consider  the  following  assume-guarantee  proof: 

()A/(V>> 

{)M  II  A/'(V-). 

We  interpret  {)M{^)  as  saying  that  all  the  behaviors  of  M  can  be 
simulated  by  T(<f),  i.e.,  M  T(ip).  Because  of  the  correspondence 
between  ■<  and  |=,  this  can  be  checked  by  verifying  M  ^  ip.  Eventually, 
we  want  to  conclude  that  M  ||  M'  :<  T{ip).  To  check  ((^)A/'(^),  we  use 
T{tp)  as  the  maximal  environment  satisfying  tp,  i.e.,  we  verify  T{ip)  || 
M'  1=  rp.  This  is  equivalent  to  saying  T{<p)  ||  M'  ■<  T{rl^).  Since 
M  ^  T{p),  we  can  compose  both  sides  with  M"  to  obtain  M  jj  M’  ■< 
T{>p)  II  M' .  Then  by  transitivity,  M  \\  M'  :< 

As  a  final  note,  we  will  actually  be  working  with  structures  rather 
than  Moore  machines.  This  is  mainly  because  formulais  do  not  have 
notions  of  inputs  and  outputs,  so  the  tableau  construction  will  most 
naturally  produce  structures.  In  addition,  structures  can  serve  as  a 
kind  of  ‘‘intermediate  language”  for  representing  other,  more  complex 
types  of  models,  such  as  Mealy  machines  [69]. 


3.3  Structures 

In  this  section,  we  are  concerned  with  two  things.  First,  we  are  going 
to  extend  the  definition  of  structure  to  include  a  kind  of  injinitary 
acceptance  condition.  .Such  an  acceptance  condition  is  used  to  rule  out 
certain  infinite  paths  through  the  structure.  This  is  necessary  in  order 
to  be  able  to  define  tableaus  for  all  of  the  formulas  in  ACTL,  and  also 
to  be  able  to  make  accurate  mod<>ls  of  real  components.  Second,  since 
we  are  going  to  be  working  with  strictures,  we  need  to  define  a  notion 
of  composition.  When  the  structures  represent  Moore  machines,  the 
definition  will  correspond  to  Moore  machine  composition. 
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To  see  why  the  current  notion  of  structure  is  inadequate  for  repre¬ 
senting  tableaus  for  all  ACTL  formulas,  we  look  at  a  specific  example. 

Example  3.2  Suppose  that  a  is  a  state  component  ranging  over  {0, 1 } , 
and  consider  the  formula  AFa  =  1.  Intuitively,  the  tableau  is  going 
to  represent  all  those  behaviors  that  are  consistent  with  the  formula. 
Thus,  a  first  guess  at  the  tableau  might  be  the  structure  shown  in  fig¬ 
ure  3.3.  The  idea  is  that  starting  from  one  of  the  initial  states,  we 


Figure  3.3:  Proposed  tableau  for  AF  a  =  1 

should  eventually  reach  the  initial  state  with  a  =  1.  At  that  point, 
we  know  that  the  requirement  that  a  eventually  become  1  has  been 
fulfilled.  The  transitions  from  then  on  are  completely  unconstrained. 
The  problem  of  course  is  that  there  is  nothing  to  guarantee  that  the 
initial  state  where  a  =  1  is  eventually  reached.  In  particular,  the  struc¬ 
ture  of  figure  3.3  allows  the  behavior  where  a  remains  0  forever.  Thus, 
this  structuie  would  be  able  to  simulate  a  structure  with  one  (initial) 
state  So  where  L(so,a)  =  0  and  the  only  transition  is  from  Sq  to  Sq. 
Since  the  latter  structure  obviously  should  not  satisfy  AFa  =  1,  we 
cannot  use  the  structure  of  figure  3.3  as  the  tableau  for  AFa  =1.  □ 

In  order  to  avoid  this  problem,  we  add  another  element  F  to  struc¬ 
tures.  F  will  represent  an  infinitary  acceptance  condition,  as  used  in 
automata  on  infinite  strings.  There  are  a  number  of  different  types  of 
acceptance  conditions.  One  that  we  will  sometimes  use  for  explanatory 
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purposes  is  Buchi  acceptance  [20].  In  the  case  of  Buchi  acceptance,  F 
is  a  set  of  states.  A  path  within  the  structure  will  be  considered  legal 
if  there  is  some  state  in  F  that  occurs  an  infinite  number  of  times  on 
the  path. 

Example  3.3  Consider  our  previous  attempt  to  construct  a  tableau 
for  AF  0=1.  Suppose  that  we  let  F  be  the  set  consisting  of  the  two 
non-initial  states  of  the  structure  of  figure  3.3.  Now  the  execution  in 
which  we  continually  loop  in  the  initial  state  where  o  =  0  is  not  legal, 
because  it  does  not  visit  any  of  the  states  in  F  an  infinite  number  of 
times.  (In  fact,  it  never  visits  any  of  the  states  in  F  at  all.)  □ 

Biichi  acceptance  is  sufficient  to  define  tableaus  for  all  ACTL  formu¬ 
las.  We  will  also  use  infinitary  acceptance  conditions  in  making  models 
of  components.  This  is  done  for  two  reasons: 

1.  When  hiding  internal  details  of  components  or  modeling  classes  of 
components,  we  use  acceptance  conditions  to  capture  the  notion 
of  “arbitrary  but  finite”  delays. 

2.  Some  components  are  nondeterministic,  but  have  probabilistic 
guarantees  of  fairness. 

Example  3.4  We  consider  the  example  of  a  countdown  timer.  A 
countdown  timer  has  an  input  r  (for  “reset”)  and  an  output  e  (“ex¬ 
pired”).  When  r  becomes  1,  an  internal  counter  is  reset  to  some  fixed 
starting  value;  also,  the  e  output  is  set  to  0.  After  r  becomes  0,  the 
internal  counter  starts  to  decrement,  and  when  the  counter  reaches  0, 
it  halts  and  e  becomes  1.  Then  e  remains  at  1  until  the  next  reset.  Fig¬ 
ure  3.4  shows  a  Moore  machine  for  a  countdown  timer  with  a  countdown 
value  of  3.  Suppose  that  we  are  verifying  a  system  containing  such  a 
timer,  and  that  the  property  we  are  checking  does  not  depend  on  the 
exact  number  of  steps  that  the  timer  takes  to  reach  0.  In  this  case,  we 
can  eliminate  some  of  the  internal  state  of  the  timer  model  in  order  to 
try  to  simplify  the  verification.  We  will  use  ab.stract  model  of  the  timer 
shown  in  figure  .3..').  Now  we  want  to  ensure  that  if  r  Ix'comes  0  atnl 
remains  0,  then  eventually  e  must  change  to  1.  This  may  be  done  by 
adding  the  acceptance  condition  defined  by  GF(r  =  0  — ♦  e  =  1).  Here, 
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r  =  1  r  =  0 


Figure  3.4:  Model  of  a  specific  countdown  timer 

GF  is  a  temporal  operator  indicating  “infinitely  often'’.  The  intention 
is  that  we  expand  out  the  Moore  machine  shown  in  the  figure  into  its 
corresponding  structure,  and  those  states  for  which  r  =  1  or  e  =  I 
become  the  elements  of  F.  Using  the  abstract  model  has  another  ben¬ 
efit  aside  from  simplifying  the  verification.  In  particular,  if  we  were 
to  change  the  design  by  substituting  a  different  countdown  timer,  we 
would  not  have  to  re-verify  those  properties  that  we  checked  using  tlie 
abstract  model.  □ 

r  =  0 


GF(r  =  0  ^  e  =  1) 


Figure  3.5;  Abstract  model  of  a  countdown  timer 


Example  3.5  Suppose  that  w’e  are  modeling  an  arbiter.  An  arbiter 
is  a  device  that  receives  requests  from  a  number  of  agents  and  grants 
them  mutually  exclusive  access  to  a  shared  resource.  In  addition  to 
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making  sure  that  the  arbiter  only  grants  the  resource  to  one  agent  at 
a  time,  we  may  want  to  say  that  the  arbiter  is  fair,  i.e.,  it  should  not 
ignore  a  request  from  any  agent  indefinitely.  Suppose  that  the  arbiter 
is  in  a  state  where  deciding  =  1  when  it  is  about  to  grant  the  resource 
to  an  agent.  Also,  assume  that  agent  i  makes  its  request  by  setting 
the  input  r,  to  1  and  is  granted  the  resource  when  the  arbiter  sets  the 
output  a,  to  1.  When  the  agent  finishes  using  the  resource,  it  sets  r, 
to  0,  after  which  the  arbiter  sets  to  0  and  goes  back  to  the  deciding 
state.  Our  first  temptation  is  to  say  that  — >  a;  should  be  true 
infinitely  often  (for  each  i).  The  idea  would  be  that  when  r,  is  1  and  a, 
is  0,  the  arbiter  is  ignoring  the  agent,  and  it  should  not  be  allowed  to 
do  so  forever.  Suppose,  however,  that  agent  0  makes  a  request  and  is 
granted  the  resource,  and  then  never  releases  it.  Now  if  agent  1  makes 
a  request,  obviously  it  cannot  be  allowed  to  have  the  resource  until 
agent  0  releases  it.  Further,  there  is  no  way  to  compel  agent  0  to  do  so. 
Thus,  the  execution  where  agent  0  hogs  the  resource  should  be  legal, 
but  it  is  disallowed  by  the  constraint  that  rj  — »  aj  be  true  infinitely 
often.  In  short,  by  trying  to  state  that  the  arbiter  is  fair  to  agent  1,  we 
have  restricted  the  legal  input  sequences  for  agent  0.  This  is  obviously 
not  acceptable  in  an  accurate  model  of  the  arbiter.  The  real  constraint 
that  we  want  to  specify  is  “if  infinitely  often  the  arbiter  has  a  chance  to 
make  a  decision  and  agent  i  is  requesting  the  resource,  then  infinitely 
often  agent  i  should  be  granted  the  resource”.  This  should  be  true  for 
every  i: 

f\(GF(  deciding  A  r, )  — +  GF  a^). 

This  type  of  constraint  cannot  be  captured  using  simple  liuchi  accej)- 
tance  conditions.  That  is,  Biichi  acceptance  conditions  are  generally 
not  powerful  enough  to  be  able  to  make  accurate  models  when  doing 
compositional  rea.soning.  Thus,  we  will  actually  use  a  stronger  form  of 
acceptance  condition  called  Streett  acceptance  [87].  .Streett  acceptance 
can  express  constraints  like  the  one  above.  F  will  be  a  set  of  pairs 
{P.Q)  of  .sets  of  states.  A  path  is  legal  if  for  every  {F,Q),  either  the 
path  stays  inside  P  after  some  point,  or  infinitely  oftc'ii  it  visits  a  stat»' 
in  Q.  riiat  is 

/\  (FGP  VGFg). 

iP.Q) 
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FG  is  a  temporal  operator  expressing  “almost  always”:  it  is  the  dual 
of  GF.  (In  the  context  of  w-regular  language  theory,  the  two  types 
of  acceptance  conditions  are  equivalent,  provided  the  automata  are  al¬ 
lowed  to  be  nondeterministic.  However,  if  we  try  to  change  our  arbiter 
example  to  use  Buchi  acceptance  by  adding  nondeterminism,  we  have 
to  alter  the  branching  structure.  Since  we  are  working  in  a  branching¬ 
time  framework,  this  is  not  acceptable.)  □ 

We  now  give  the  extended  definition  of  a  structure  that  includes 
an  infinitary  acceptance  condition.  Previous  constructions  involving 
structures  will  be  extended  in  the  obvious  way.  For  example,  when 
constructing  the  structure  for  a  Moore  machine,  we  construct  S,  /, 
etc.,  as  before  and  take  F  =  0. 

Definition  3.1  A  structurt  M  -  {S,  I ,  R,  A,  L,  F)  is  a  tuple  of  the 
following  form: 

1.  6\  /,  F,  A,  and  L  are  as  in  definition  2.2. 

2.  F  is  a  set  of  pairs  of  subsets  of  5. 

We  also  add  the  requirement  that  a  sequence  of  states  which  is  to  be 
considered  a  path  must  fulfill  the  acceptance  condition.  This  extends 
to  the  semantics  of  CTL  and  ACTL:  the  A  and  E  quantifiers  will  range 
only  over  such  sequences. 

Definition  3.2  Assume  A/  is  a  structure,  and  let  tt  =  So-siSj . . .  be  a 
sequence  of  states  of  AI.  We  define  inf{n)  to  be  those  s,  such  that  .s, 
appears  infinitely  often  in  tt.  We  say  that  tt  is  a  path  in  M  starting 
at  .s'o  when: 

1.  for  all  i,  /?(s,,s,+i);  and 

2.  for  every  {P,Q)  €  F,  either  inf(Tr)  C  F  or  inf  {it)  H  Q  ^  0. 

We  now  turn  to  the  definition  of  composition  of  structures.  As  men¬ 
tioned  before,  we  want  this  definition  to  correspond  to  Mot)re  machint' 
composition  in  the  case  that  the  structures  represent  Moore  machines. 
That  is,  we  want  the  following  property  to  hold: 


3.3.  STRUCTURES 


71 


Proposition  3.1  Let  M  and  M'  be  Moore  machines  that  can  be  com¬ 
posed.  Then  struct{M  ||  M')  is  isomorphic  to  struct(AI)  ||  struct{M*). 

With  this  in  mind,  we  consider  a  specific  example  to  motivate  the 
definition. 

Example  3.6  Recall  the  request-acknowledge  circuits  that  we  used  as 
examples  in  chapter  2.  The  structures  for  the  Moore  machines  rep¬ 
resenting  the  circuits  of  figures  2.2  and  2.4  are  reproduced  in  figures 
3.6  and  3.7.  We  call  these  structures  M  and  A/',  respectively.  The 


Figure  3.6:  Structure  for  the  Moore  machine  shown  in  figure  3.1 

structure  representing  the  composite  Moore  machine  is  shown  in  fig¬ 
ure  3.8  (this  is  the  reachable  portion  of  the  state  space  only).  Consider 
the  state  rpaq  in  the  composition.  When  we  project  this  down  onto 
the  sets  of  state  components  A  =  {r,p,a}  and  -4'  =  we  obtain 

labelings  rpd  and  nqr.  Thus,  it  seems  natural  to  view  the  state  rpdq  as 
being  represented  by  a  pair  of  states,  rpd  in  M  and  dqr  in  M'.  Since 
.Moore  machine  composition  is  .synchronous,  composition  of  structures 
should  be  as  well,  i.e.,  in  a  step  of  the  composition,  both  parts  should 
tnake  transitions.  The  sucres.s(»rs  of  rpd  are  rpd  and  rpa,  and  the  suc¬ 
cessors  of  dqr  are  nqr  and  nqr.  If  we  look  at  pairs  of  these  successors, 
only  rpa  and  nqr  have  “compatible”  labelings.  Now  the  only  successor 
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Figure  3.7:  Structure  for  the  Moore  machine  shown  in  figure  'i.fcl 


Figiiif  3.?i;  .Structure  representing  the  composite  M<;or<*  imt<liiue 
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of  rpdq  in  the  composition  is  rpaq,  which  in  fact  does  project  down  to 
this  pair.  What  about  the  other  pairs  though?  If  we  turn  back  to  our 
physical  model  of  circuits,  we  see  that  a  pair  such  as  rpd  and  aqr  repre¬ 
sents  a  situation  in  which  one  part  of  the  circuit  sees  the  logic  value  0  on 
the  wire  a,  and  the  other  sees  the  logic  value  1  on  the  same  wire.  Since 
this  violates  our  physical  intuition,  we  shall  simply  eliminate  pairs  of 
states  with  incompatible  labelings  from  the  composition.  As  for  the 
initial  states  of  the  composition,  we  note  that  fpdq,  which  is  an  initial 
state,  projects  to  initial  states  in  both  M  and  M'.  On  the  other  hand, 
a  state  such  as  rpaq,  which  projects  to  an  initial  state  in  M'  but  not 
in  M,  should  not  be  initial.  In  summary,  to  obtain  the  relationship  of 
proposition  3.1,  we  should  view  states  of  the  composition  as  pairs  of 
component  states  with  compatible  labelings.  Transitions  should  cor¬ 
respond  to  transitions  in  each  component  structure,  and  initial  states 
should  correspond  to  pairs  of  initial  states.  Under  this  interpretation, 
the  composition  of  M  and  M'  will  in  fact  give  rise  to  the  structure  in 
figure  3.8.  □ 

The  only  minor  issue  that  remains  is  how  to  define  the  acceptance 
conditions  for  a  composition.  We  will  do  it  in  such  a  way  that  a  path  in 
the  composition  corresponds  to  paths  in  the  components.  Also,  given  a 
pair  of  paths  in  the  components  such  that  the  labelings  along  the  two 
paths  are  compatible,  we  should  be  able  to  lift  the  pair  to  a  path  of 
the  composition.  Consider  a  sequence  of  states  {sq,  So)(si,  s',  ) ...  in  the 
composition  of  A7  and  M'.  In  order  to  ensure  that  sqSi  . . .  represents  a 
path  in  the  first  component,  we  want  to  check  that  for  each  {P-iQ)  E  F, 
either  the  s,  are  eventually  entirely  within  P  or  infinitely  often  visit  Q. 
This  is  equivalent  to  the  (s,,s')  eventually  being  entirely  within  P  x  S' 
or  infinitely  often  visiting  Q  x  S'.  Each  acceptance  condition  pair  in 
F  and  F'  is  lifted  to  a  pair  for  the  composition  in  this  way. 

Definition  3.3  Let  M  and  M'  be  two  structures.  The  composition  of 
M  and  A/',  denoted  M  [j  M',  is  the  structure  Al"  defined  as  follows: 

1.  .S'"  is  the  set  of  pairs  (s,.s')  ^  .S’  x  S'  for  which  L(s,n)  =  /.'(.s'.u) 
for  all  a  in  A  H  A' . 


2.  I"  =  (I  X  r)ns". 
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3.  (-si.-s'i))  iff  So,  Si )  and 

4.  A'‘  =  AO  A'. 

5.  L"{{s,s'),a)  ~  L{s,a)  for  all  a  in  A.  L"{{s,s'),a')  —  L'{s',a')  for 
all  a'  in  A'. 

6.  F"  ={((Px  S')  n  S",  (Q  X  S')  n  S")  \iP,Q)€F} 

U  { ((5  X  P')  n  5",  (S  X  Q')  n  S")  1  {P',  Q')  £F'}. 

At  the  end  of  this  chapter,  we  will  give  proofs  that  the  above  def¬ 
inition  of  composition  is  commutative  and  associative  (up  to  isomor¬ 
phism),  and  also  that  proposition  3.1  holds. 


3.4  Simulation  Relations 

Now  we  proceed  to  the  definition  of  simulation.  The  intuition  is  similar 
to  that  behind  traditional  Milner-style  simulation  [70],  except  that  we 
consider  infinite  paths  instead  of  single  transitions. 

Definition  3,4  Let  M  and  M'  be  two  structures  with  ADA'.  A 
relation  C  over  S  x  5'  is  a  simulation  relation  between  M  and  M'  if 
for  all  s  and  s'  satisfying  s  Q  s',  the  following  conditions  hold: 

1.  Lis,  a')  —  L'{s',a')  for  all  a'  in  A'. 

2.  For  every  path  tt  =  sqSiSj  . . .  starting  at  s  =  Sq,  there  exists  a 
path  tt'  =  SqsJsj  •  •  •  starting  at  s'  =  s'q  such  that  for  all  i,  s,  C  s'-. 

The  state  s  of  M  is  simulated  by  the  state  s'  of  M'  {M,s  ■<  M',s') 
whenever  there  exists  a  simulation  relation  C  between  M  and  M'  such 
that  s  C  s'.  (We  often  omit  M  and  M'  when  they  are  clear  from 
context.)  M'  simulates  M  {M  ■<  M')  whenever  for  every  state  s  ^  I, 
there  exists  a  state  s'  €  I'  such  that  M,s  ■<  M',s'. 

Note  that  in  this  definition,  M'  may  have  a  smaller  set  of  visible 
state  components  than  M .  In  this  case,  we  view  A'  as  being  the  exter¬ 
nally  visible  state  components,  and  A  —  A'  as  internal  components. 
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Example  3.7  Consider  the  countdown  timer  example  (example  3.4). 
The  structure  corresponding  to  the  Moore  machine  of  figure  3.4  is  given 
in  figure  3.9.  We  will  denote  this  structure  by  M.  The  structure  M' 


So 


Si 


S2 


S3 


Figure  3.9:  Structure  for  a  countdown  timer 

for  the  abstract  model  of  a  countdown  timer  is  shown  in  figure  3.10. 
We  have  that  M  -<  M'.  To  see  this,  define  the  relation  C  by  s  C  s'  iff 
L{s)  =  L'{s').  That  is,  Sq  is  related  to  so,  Si,  and  S2;  Sj  is  related  to 
S3;  Sj  is  related  to  s.,,  S5,  and  Se;  and  S3  is  related  to  S7.  This  obvi¬ 
ously  satisfies  the  first  condition  for  a  simulation  relation:  related  states 
have  compatible  labelings.  All  paths  in  M  have  corresponding  paths 
in  M':  for  example,  the  path  S0S1S2S3S7S0S1S2S3S7 . . .  corresponds  to 
SqSqSqS'^SjSoSoSoS'jSj —  Thus,  C  is  indeed  a  simulation  relation.  No¬ 
tice  that  because  of  the  acceptance  conditions,  the  sequence  SqSqSq  . . . 
is  not  a  path  in  M'.  This  is  as  expected:  there  is  no  path  in  M  where  r 
remains  0  indefinitely  and  e  never  becomes  1.  Finally,  for  every  initial 
state  of  /V/,  there  is  an  initial  state  in  M'  that  is  related  under  C.  □ 

Example  3.8  Let  /t  be  a  set  of  visible  state  components,  and  define 
T{A)  to  be  the  following  structure  M: 

1.  5  is  the  set  of  labeling  functions  over  A. 
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Figure  3.10:  Structure  for  the  abstract  model  of  a  countdown  timer 
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2.  I  =  S. 

3.  R  =  SxS. 

4.  L{f,a)  =  /(a)  for  all  /  €  5. 

5.  F  =  0. 

This  structure  has  one  state  for  every  possible  valuation  of  the  visible 
state  components.  Every  state  is  initial,  and  there  is  a  transition  be¬ 
tween  any  pair  of  states.  Further,  the  acceptance  condition  is  empty,  so 
all  sequences  of  states  are  legal  paths.  The  structure  T(y4)  can  simulate 
any  other  structure  whose  visible  state  components  include  A. 

Define  -L(i4)  to  be  the  structure  M  with  S=I  =  R  =  F  =  9i.  Ev¬ 
ery  structure  whose  state  components  are  contained  in  A  can  simulate 
l(/l).  □ 

Example  3.9  Let  M  be  a  structure,  and  suppose  that  we  add  initial 
states  and  transitions  to  M  to  obtain  ML  (That  is,  S  =  S' ,  I  C  I'  and 
R  C  R'.)  Then  { (s,  s)  |  s  €  5 }  is  a  simulation  relation,  and  M  :<  M'. 
Also,  if  M  has  (F,C?)  as  part  of  its  acceptance  condition,  then  we  can 
drop  the  entire  pair  from  F',  or  we  can  enlarge  P  and  Q  (with  respect 
to  set  inclusion)  and  still  maintain  the  relationship  M  <  M'.  □ 

Example  3.10  Here,  we  consider  a  way  of  hiding  internal  information 
in  a  structure  M .  Let  coIlapse{s)  =  L{s)  for  s  G  5.  In  other  words, 
collapse  maps  a  state  to  the  labeling  function  for  that  state.  Thus, 
the  only  information  we  have  about  a  state  after  collapsing  is  what  we 
can  observ"  directly.  We  extend  collapse  to  sets  of  states  and  relations 
between  states  in  the  luitural  way.  Then  we  take  collapse(M)  to  be  the 
following  structure  M': 

1.  S'  =  collapse(S). 

2.  /'  =  collapse{I). 

3.  R'  =  collapse(  R). 


4.  =  A. 
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5.  L'{L{s),a)  =  {L{s)){a).  (The  labeling  of  a  labeling  function  is 
given  by  the  labeling  function  itself.) 

6.  F'  =  {  (collapse(P),  co]lapse(Q)}  ]  (P,Q)  €  F  }. 

Now  { (s,  L{s))  I  s  6  5  }  is  a  simulation  relation  between  states  of  M 
and  states  of  M',  and  M  M'. 

As  an  example  of  this  type  of  collapsing,  let  M  be  the  countdown 
timer  of  figure  3.9.  When  we  collapse  M ,  we  obtain  the  structure  shown 
in  figure  3.1 1.  This  is  almost  the  same  as  the  abstract  countdown  timer 
model  (figure  3.10);  the  only  difference  is  that  collapsing  leaves  us  with 
an  empty  acceptance  condition.  □ 


Figure  3.11:  Collapsing  of  the  structure  for  a  countdown  timer 


We  now  examine  some  of  the  properties  of  the  relation  ■<.  Most 
of  these  were  mentioned  earlier  in  section  3.2.  The  proofs  of  these 
properties  will  be  deferred;  here,  we  will  j>ist  try  to  give  the  intuition 
behind  each  proof. 

The  first  property  tells  us  that  the  relation  between  states  is 
itself  a  simulation  relation,  and  is  in  fact  the  largest  simulation  relation 
(under  the  set  inclusion  ordering). 
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Theorem  3.1  Let  M  and  A/'  be  two  structures  with  A  D  A' .  The 
relation  ;;;:<  (between  states)  is  the  largest  simulation  relation  between 
M  and  M'  (under  the  set  inclusion  ordering). 

To  see  this,  imagine  that  we  have  two  states  s  and  s'  that  are  re¬ 
lated  by  By  definition,  we  must  have  some  simulation  relation  C 
that  relates  the  states.  This  implies  that  the  states  have  compatible 
labelings.  Further,  if  we  look  at  a  path  ir  from  s,  there  must  be  some 
path  from  .s'  that  corresponds  to  t  via  C.  But  since  corresponding 
states  on  the  two  paths  are  related  by  C,  they  must  also  be  related 
by  Hence  ;:<  satisfies  the  conditions  for  a  simulation  relation. 

The  next  property  forms  the  basis  for  doing  hierarchical  verification. 
The  important  part  is  that  ;:<  is  a  transitive  relation. 

Theorem  3.2  The  relation  is  a  preorder. 

Reflexivity  is  obvious.  For  transitivity,  suppose  we  know  that  M  ^ 
M'  and  M'  ^  M".  Intuitively,  if  we  take  a  state  s  in  M,  then  we  should 
be  able  to  find  a  state  .s'  in  A/'  that  simulates  it.  Then  this  state  can 
be  simulated  by  some  state  s"  of  A/".  Now  the  labelings  of  s  and  s" 
must  clearly  be  compatible.  Further,  given  a  path  from  s,  we  can  find 
a  corresponding  path  from  s',  and  this  latter  path  has  a  corresponding 
path  from  s".  This  gives  us  a  correspondence  between  paths  from  s 
and  paths  from  s".  Formally,  we  would  show  that  C  defined  by: 

C  =  {  (s,  s")  (  3s'  [s  s'  A  s'  :<  s"] } 


is  a  simulation  relation. 

Next,  we  prove  that  composition  respects  the  preorder.  This  is  used 
to  substitute  specifications  for  implementations  in  compositions. 

Theorem  3.3  For  all  structures  M  and  A/',  if  M  ;:<  A/',  then  M\\M"  ■< 
M'  II  M". 

To  see  why  this  is  true,  consider  a  state  (s,  s")  of  A7  ||  A/".  Since 
.17'  can  simulate  A/,  there  should  be  .some  state  s'  that  can  simulate  .s. 
Now,  since  the  labelings  of  s  and  s'  must  be  compatible,  (s',  s")  must  be 
a  state  of  the  composition  M'\\M".  Given  a  path  in  A7||  A/"  from  (s,  s"). 
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we  can  project  this  down  into  paths  ir  and  tt"  in  M  and  M",  respectively. 
Now  TT  can  be  simulated  by  a  path  w'  from  s',  and  ir'  and  tt"  can  be 
combined  into  a  path  in  M'  ||  M"  from  (s',  s").  Formally,  we  prove  that 

C  =  {  ({s,s"),(s',s"))  I  s  :<  s'  A  s"  €  5"  } 
is  a  simulation  relation. 

The  final  property  that  we  will  use  is  slightly  less  intuitive  than 
the  others.  It  essentially  states  that  composition  with  a  structure  M  is 
idemp)otent,  i.e.,  doing  it  more  than  once  has  no  effect.  Perhaps  the  best 
way  to  think  of  this  is  as  follows:  view  a  structure  M  as  specifying  in 
some  way  a  set  of  allowed  behaviors.  Composition  with  M  is  essentially 
intersecting  with  this  set.  Once  we  have  done  this,  intersecting  again 
will  obviously  result  in  no  change. 

Theorem  3.4  For  every  structure  M,  M  :<  M  \\  M. 

The  proof  of  this  one  is  simple:  we  just  note  that  { (s,  (s,s))  j  s  €  5  } 
is  a  simulation  relation. 

Now  that  we  have  finished  defining  our  preorder  and  notion  of  com¬ 
position,  we  can  be  more  precise  about  how  to  do  compositional  and 
assume-guarantee  style  reasoning  in  our  framework.  Recall  that  in  sec¬ 
tion  2.5,  we  defined  the  notion  of  the  maximal  closing  environment 
for  a  Moore  machine,  and  also  argued  that  M  ||  E{M)  was  isomorphic 
to  struct{M).  We  have  an  analogous  result  when  dealing  with  struc¬ 
tures  alone.  Note  that  while  there  is  no  notion  of  input  and  output, 
and  hence  no  real  notion  of  a  closed  system,  there  is  a  natural  maximal 
environment  for  a  structure  M.  Also  recall  the  structure  T(/4)  defined 
in  example  3.8;  T(i4)  is  able  to  simulate  any  structure  whose  visible 
state  components  include  those  in  A.  Suppose  that  M  is  viewed  as  a 
component,  and  say  that  the  environment  A/'  will  interact  with  it  via 
some  state  components  B  Q  A.  Then,  since  A'  includes  B,  we  know 
that  T(B)  can  simulate  A/'.  Now  applying  theorem  3.3,  we  find  that 
A/  II  A/'  :<  M II  T(B).  Hence,  if  we  want  to  check  that  a  specification  A/" 
is  tru<‘  for  any  environment  A/',  we  can  just  verify  A/  ||  T(/^)  ;;;< 
since  transitivity  would  then  give  M  ||  A/'  ■<  A/".  (Also,  T(iy)  is  a 
potential  environment.)  However,  we  also  have  the  following  result; 
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Theorem  3.5  Let  A/  be  a  structure  and  B  C  A;  then  M  is  isomorphic 
to  Mil  T(B). 

The  proof  is  deferred,  but  basically  consists  of  the  observation  that 
each  state  of  M  is  paired  with  a  unique  state  of  T{B)  in  the  composi¬ 
tion,  and  that  the  transition  relation  of  T(B)  is  the  universal  relation. 
This  result  means  that  when  we  check  M  :<  M",  where  M  is  viewed  as 
a  component,  we  are  really  checking  whether  every  system  containing 
M  satisfies  the  specification  M".  On  the  other  hand,  if  M  is  viewed 
as  a  complete  system,  then  we  would  just  be  checking  that  M  hats  the 
specified  property.  In  essence,  doing  a  compositional  verification,  where 
we  are  working  with  individual  components,  will  involve  the  same  un¬ 
derlying  check  as  doing  a  global  verification.  Because  of  this,  we  will 
generally  omit  any  mention  of  maximal  environments  in  what  follows. 
They  may  be  inserted  where  appropriate,  depending  on  whether  the 
structures  we  are  working  with  are  viewed  ais  complete  systems  or  not. 

Recall  that  in  an  assume-guarantee  style  proof,  we  work  with  triples 
of  the  form  (assumptions) M (guarantees).  We  will  allow  assumptions 
and  guarantees  to  be  given  either  via  temporal  formulas  or  via  struc¬ 
tures.  To  check  a  triple,  we  compose  the  assumptions  with  M,  and 
then  check  that  the  result  can  be  simulated  by  the  guarantees.  Consider 
a  simple  assume-guarantee  style  argument  such  as  the  following: 

()M(M,)  ■ 

{M^)M'(M^) 

()M  II  M'(M„). 

Reexpressing  this  in  terms  of  compositions  and  simulation  checks  gives; 

M  M^ 

M^  II  M'  <  M„ 

M  II  M'  X  M,^. 

We  can  justify  the  soundne.ss  of  the  argument  using  the  properties  of 
■<  and  II .  Since  M  -<  we  can  compose  both  sides  with  M'  to  obtain 
M  II M'  :<  M^  II  M'.  We  are  given  that  M^||  M'  -<  so  by  transitivity 
we  have  the  desired  conclusion. 
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Let  us  also  consider  a  more  complex  argument  that  requires  the  use 
of  theorem  3.4: 

()Af(A/^) 

(A/^)Af'(A/^) 

{A/^)A/(A/x) 

()A/  II  A/'(M,). 

Translating  gives: 

M 

11  A/'  ^  A/^ 

II  Af  ^ 

M\\M'  <  A/x- 

As  above,  A/  ■<  and  A/^  ||  A/'  ■<  implies  that  M  1|  M'  :<  M,t,. 
Composing  both  sides  with  M  leads  to  M  ||  M'  ||  Af  ^  A/,^  ||  M .  Now 
Af,^  II  Af  M^,  so  by  transitivity  we  obtain  M  \\  M'  \\  M  :<  A/^.  Since 
composition  is  commutative  and  associative,  we  get  A/  ||  A/  ||  M'  :< 

Now  we  are  almost  at  the  desired  conclusion,  but  we  have  an  extra  A/. 
Theorem  3.4  tells  us  that  M  ■<  M  \\  M .  Composing  both  sides  of  this 
with  Af':  A/  II  A/'  ^  A/  II  A/  II  A/'.  Finally,  applying  transitivity  gives 
the  desired  result,  M  |{  A/'  ■< 

3.5  The  Tableau  Construction 

So  far,  we  have  defined  notions  of  composition  of  structures  and  sim¬ 
ulation  that  allow  us  to  do  hierarchical  and  assume-guarantee  style 
reasoning  where  the  specifications  are  given  as  structures.  We  have 
also  hinted  that  there  is  a  correspondence  between  simulation  and  sat¬ 
isfaction  of  a  formula  by  a  structure;  in  this  section,  we  make  that 
correspondence  precise. 

Our  tableau  construction  will  have  the  same  flavor  as  many  oth¬ 
ers:  states  of  the  tableau  will  consist  of  information  about  the  labeling 
for  the  visible  state  components,  plus  information  about  what  things 
should  hold  in  successor  states  [5,  27,  64,  78,  92].  This  latter  informa¬ 
tion  is  used  to  constrain  the  transition  relation. 

Example  3.11  Consider  the  formula  AF  a  =  1  that  we  used  earlier 
(example  3.2).  A  state  of  this  tableau  will  be  viewed  as  consisting  of: 
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1.  information  about  whether  a  is  0  or  1;  and 

2.  information  about  whether  the  eventuality  has  been  fulfilled  yet 
or  not.  This  information  is  based  on  the  fixed  point  equation  for 
AF:  those  states  where  AF  a  =  1  are  true  are  those  for  which 
a  =  1  or  for  which  AX  AF  a  —  1  holds.  We  can  tell  whether  a  =  1 
based  on  the  visible  state  component  information.  However,  in 
order  to  tell  whether  AX  AF  a  =  1  holds,  we  add  a  bit  to  the 
state  that  will  be  1  for  those  states  satisfying  AX  AF  a  =  1. 

Now  a  state  that  has  the  bit  for  AX  AF  a  =  1  set  will  be  constrained  to 
have  successors  that  either  have  a  =  1  or  have  the  bit  for  AX  AF  a  =  I 
set.  D 

The  information  about  what  has  to  hold  in  the  next  state  is  captured 
using  the  notion  of  an  elementary  formula.  Each  elementary  formula 
will  have  the  form  AX  ip  and  will  be  associated  with  a  bit  of  information 
in  the  states  of  our  tableau.  When  the  bit  associated  with  AX  ip  in 
a  state  is  I,  it  will  mean  that  the  successors  of  that  state  must  be 
constrained  to  be  those  states  where  ip  holds.  The  elementary  formulcis 
of  a  formula  will  be  obtained  by  looking  at  those  subformulas  of  p 
involving  a  temporal  operator.  Each  subformula  AX.rp  will  itself  be 
an  elementary  formula.  For  subformultis  such  as  A(p  U  \),  we  will 
use  AX  A{0  U  ,\)  as  an  elementary  formula.  In  the  example  above, 
AX  AFa  =  1  would  be  the  only  elementary  formula  of  AF  a  =  1. 

Definition  3.5  The  set  of  elementary  formulas  of  the  formula  p,  de¬ 
noted  by  el{p),  is  defined  as  follows: 

1.  el{true)  =  0. 

2.  el(a  =  (1)  =  0. 

3.  el{-'p)  =  el(p). 

4.  el{p  A  iL')  =  ol(p  V  Ip)  =  rl(p)  U  el{ip). 

5.  cl(AXp)  =  {AXv?}  U  clip). 

el(A(pUiP))  =  {AXA(pUiP)}Uel(p)Ueliil'). 
el(A(p  V  Ip))  =  {AX  A(p  V  Ip)}  U  el{p)  U  el{ip). 
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The  states  of  the  tableau  for  ip  are  going  to  have  the  form  {f,E), 
where  /  €  Iabelings(comp((p))  and  E  C  el(if).  That  is,  a  state  will  be  a 
labeling  plus  a  set  of  elementary  formulas  (the  ones  that  are  supposed 
to  be  true  at  the  state).  Now  suppose  that  is  an  elementary 

formula  that  is  supposed  to  hold  at  some  state.  We  want  to  constrain 
the  successors  to  be  those  states  where  ^  is  true.  But  since  we  have  not 
yet  constructed  the  transition  relation,  how  do  we  know  which  states 
are  supposed  to  satisfy  At  first,  it  seems  that  we  are  caught  in  a  kind 
of  circularity.  We  will  avoid  the  problem  by  using  a  mapping  $  that 
tells  whether  a  formula  should  be  true  of  a  state  based  only  on  the  state 
and  not  on  its  successors.  Consider,  for  example,  determining  whether 
a  state  satisfies  AFa  =1.  If  the  labeling  of  a  in  the  state  is  1,  we 
know  it  satisfies  AFa  =  1.  If  the  labeling  of  a  is  0,  then  the  only  way 
that  AF  a  =  I  can  be  true  is  for  all  of  the  state’s  successors  to  satisfy 
AFa  =  1.  In  other  words,  the  state  should  satisfy  AX  AF  a  =  1. 
This,  however,  is  an  elementary  formula,  and  we  can  tell  whether  it 
should  be  true  by  looking  only  at  the  state.  Overall,  a  state  should 
satisfy  AFa  =  1  when  it  is  labeled  with  a  =  1  or  AX  AF  a  =  1. 
Given  a  subformula  0,  will  give  the  set  of  states  in  the  tableau 

that  should  satisfy  r/f.  Then,  if  a  state  is  marked  with  the  elementary 
formula  AX0,  we  simply  ensure  that  all  of  its  successors  are  within 
the  set  ^(0). 

The  only  part  of  the  construction  that  we  have  not  yet  explained 
is  the  method  by  which  we  ensure  that  eventualities  are  fulfilled.  This 
will  be  done  using  the  acceptance  conditions.  Consider  the  formula 
AFa  =  1  again.  A  state  that  is  supposed  to  satisfy  AX  AFa  =  1 
has  as  its  successors  those  states  where  a  =  1  or  where  AX  AF  a  =  1 
should  hold.  The  danger  is  that  we  may  p£iss  continually  through  states 
where  a  —  0  but  which  should  satisfy  AX  AF  a  =  !.  We  can  eliminate 
this  possibility  by  requiring  that  infinitely  often,  we  visit  a  state  where 
rt  =  1  or  where  AX  AFa  =  1  is  not  supposed  to  be  satisfied.  We 
now  give  the  construction.  (Note:  the  definition  below  docs  not  handle 
certain  degenerate  ca.ses.  Since  the  changes  needed  to  handle  these 
cases  are  somewhat  nonintuitive,  we  defer  them  until  section  8.8.) 

Definition  3.6  The  tableau  of  ip  (over  a  set  of  state  components  /I  3 
comp{tp))  is  denoted  T{ip)  and  is  the  structure  M  given  by: 
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1.5  =  labelingsiA)  x 

2.  /  =  where  $  is  the  map  from  subformulas  and  elementary 

formulas  of  to  5  defined  as  follows: 

(a)  4>(frue)  =  5. 

(b)  <I»(a  =  d)  =  {(/,E)€5|/(a)  =  d}. 

(c)  =  5  — 

(d)  0(0  A  x)  =  0(0)  n  0(x). 

0(0  V  x)  =  0(0)  U  0(x). 

(e)  If  AX  0  is  an  elementary  formula  of  then 

O(AX0)  =  {(/,£)€  51  AX0  6  E}. 

(f)  O(A(0Ux))  =  O(x)U(O(0)nO(AXA(0Ux))). 

0( A(0  V  x))  =  0(x)  n  (0(0)  U  0( AX  A(0  V  x))). 

3.  R{{fo,  Eo),{fi,  El))  iff  for  all  AX0  €  el{ip),  AX0  €  Eq  implies 
(/!,£:,)€  0(0). 

4.  L{{f,E),a)  =  f{a). 

5.  The  acceptance  condition  specifies  that  we  cannot  have  an  even¬ 
tuality  AX  A(0  U  x)  where  x  is  never  fulfilled. 

F  =  { (0,  (5-0(AX  A(0Ux)))UO(x))  1  AX  A(0Ux)  €  e/(^) }. 

Example  3.12  Back  in  example  3.1,  we  argued  that  assume-guarantee 
style  reasoning  could  be  used  to  verify  that  the  composition  of  the  cir¬ 
cuits  given  in  figures  2.2  and  2.4  satisfied  the  specification  AG(p  = 
0  V  7  =  0).  Let  the  structures  for  these  two  circuit.-;  (shown  in  figures 
3.6  and  3.7,  respectively)  be  denoted  by  ;V/  and  M'.  In  our  a.ssume- 
guarantee  proof,  we  were  going  to  use  AG(r  =  0  — ►  AX  7  =  0)  as  an 
assumption  about  M',  and  then  prove  the  desired  property  by  combin¬ 
ing  this  assumption  with  A/; 

{)A/'(AG(r  =  U  AX7  =  0)) 

(AG(r  =  0  AX  7  =  0))M(AG(p  =  0  V  /  =  0)) 

()A/ II  A/'(AG(p  =  0V7  =  0)). 
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Checking  ()A/'(AG(r  =  0  — ►  AXq  =  0))  will  be  done  with  our  stan¬ 
dard  model  checking  techniques.  However,  in  order  to  check 

{AG(r  =  0  —  AXq  =  0))M{AG(p  =  0  V  q  =  0)}, 

we  need  to  construct  the  tableau  for  AG(r  =  0  — ♦  AXq  =  0)  and 
compose  it  with  M.  The  states  of  the  tableau  will  have  valuations  for 
r  and  q,  plus  information  about  the  elementary  formulas.  In  this  case, 
there  are  two  elementary  subformulas:  AX  AG(r  =  0  — »  AXq  =  0) 
and  AX  q  =  0.  Let  0  be  the  first  of  these,  and  let  x  be  the  second.  The 
(reachable  states  of  the)  tableau  are  shown  in  figure  3.12.  In  the  figure, 
the  states  are  labeled  with  0  and  x  to  indicate  where  these  elementary 
subformulcis  are  true,  even  though  0  and  x  actually  visible  state 

components.  Also,  most  of  the  transiuions  between  states  are  present, 
so  for  clarity,  the  figure  uses  dashed  lines  to  show  which  transitions  are 
missing.  The  initial  states  are  those  in  4‘(AG(r  =  0  — >  AXq  =  0)). 
This  is  equal  to 

4>(r  =  0  -  AX  q  =  0)  n  m/alse)  U  4>(AX  AG(r  =  0  AX q  =  0))). 

(The  ^{false)  comes  from  the  fact  that  AG  0  is  an  abbreviation  for 
A{false  V  0).)  Evaluating  this  expression  yields  those  states  {f,E) 
where: 

1.  either  /(r)  =  I  or  AXq  =  0  (x)  is  in  £’;  and 

2.  AXAG(r  =  0  ^  AXq  =  0))  (0)  is  in  E. 

This  is  all  of  the  states  shown  in  the  figure.  Further,  since  0  €  E 
for  all  of  these  states,  all  their  successors  must  be  in  <l>(AG(r  =  0  — > 
AXq  =  0)),  i.e.,  we  cannot  leave  the  set  of  states  shown.  This  is  how 
the  AG  is  continually  enforced.  Also  note  that  the  transitions  that  are 
missing  are  those  from  states  where  x  should  be  true  (the  lower  four 
states)  to  those  where  q  is  1  (the  leftmost  three  states).  This  enforces 
the  constraint  that  when  a  state  should  satisfy  AXq  =  0,  it  in  fact 
does.  After  constructing  the  tableau  and  doing  the  model  checking,  we 
find  that 


(AG(r  =  0  ^  AXq  =  0))A/(AG(p  =  0  V  q  =  0)) 
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does  indeed  hold,  and  so  we  can  in  fact  conclude 
()M||  A/'(AG(p  =  0Vg  =  0)}, 

which  is  the  desired  result.  □ 


Figure  3.12:  Tableau  for  AG(r  =  0  — >  AX(/  =  0) 

Example  3.13  In  this  example  we  con.sider  a  tableau  that  has  a  non¬ 
trivial  acceptance  condition.  The  actual  tableau  for  AF  a  =  1  is 
shown  in  figure  3.13.  In  the  figure,  (/’  denotes  the  elementary  formula 
AX  AF  u  =  1.  As  in  figure  3. 12,  only  the  mi.ssing  transitions  are  shown. 
In  this  case,  we  cannot  go  from  a  state  where  AX  AF  a  =  1  holds  to 
(uie  where  l>oth  a  =  0  and  ->  AX  AF  n  =  1.  The  acceptance  condition 
re(|uires  that  if  AX  AF  a  =  I  Ireconjes  triie,  then  eventually  we  must 
make  a  transititui  to  a  state  where  n  =  I.  □ 

We  now  state  the  formal  connection  between  satisfaction  and  sim¬ 
ulation.  rile  proof  is  deferred. 
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GF{a  =  1  V  0) 


Figure  3.13:  Tableau  for  AF  a  =  1 

Theorem  3.6  Let  M  be  a  structure  and  let  be  an  ACTL  formula 
such  that  A  D  comp(ip).  Then  M  iff  M  where  the 

tableau  is  over  any  subset  of  A  containing  comp{ip). 

We  also  note  that  the  tableau  construction  can  also  be  used  to  do 
temporal  reasoning.  In  ACTL,  v?  — ►  0  is  generally  not  a  legal  formula 
due  to  the  restriction  that  we  only  use  the  A  path  quantifier.  Thus,  we 
cannot  use  the  usual  trick  of  checking  whether  ip  —t  w  is  a.  tautology. 
Instead,  we  use  a  semantic  notion  of  entailment. 

Definition  3.7  Let  9  and  t/’  be  ACTL  formulas.  We  write  p> 
whenever  for  every  structure  M  with  A  D  comp(v?)  U  comp(V^),  if  A/  (= 
pi,  then  M  (=  il'. 

The  formula  ip  is  a  tautology  iff  Irur  [=  >:>.  y  is  satislierl  by  some 
nontrivial  structure  (one  with  a  non-empty  set  of  initial  states  and 
some  path  starting  at  one  of  these  stales)  iff  it  is  not  the  case  that 
p  [=  AX  jah  t.  We  can  check  for  semantic  entailment  using  tlie  tableau 
rf)iistnirtion  in  the  obvious  way. 

Proposition  3.2  p  )=  i/’  df  T(p)  )=  )/’.  (The  tableau  is  o\c'r  coiiipi  p )U 
rumpi  I/’)-) 
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Since  the  proof  is  short,  we  give  it  here. 

Proof  Suppose  ^  0-  The  tableau  for  (fi  satisfies  tp,  so  by  definition 
of  semantic  implication,  it  satisfies  ^  as  well. 

Suppose  T{p>)  ^  and  let  A/  be  a  structure  with  A  D  comp{if)  U 
comp{il^).  U  M  ip.,  then  M  <  T{ip).  But  T{ip)  \=  i/>,  and  so  T(v?)  ■< 
T(t/)).  By  transitivity,  M  T(i/>),  and  so  M  f=  i/’.  O 

3.6  Example:  A  Simple  CPU  Controller 

In  this  section,  we  describe  a  controller  for  a  simple  stack-based  CPU 
and  give  some  ACTL  specifications  describing  its  correctness.  Then  we 
prove  these  properties  using  assume-guarantee  style  recisoning.  This 
CPU  controller  design  is  from  a  paper  by  Clarke,  Long,  and  McMil¬ 
lan  [32]. 

Figure  3.14  gives  a  block  diagram  of  the  CPU.  The  controller  con¬ 
tains  two  main  modules:  an  access  unit  (AU)  and  an  execution  unit 
(EU).  The  access  unit  controls  the  fetching  of  instructions  and  the  reads 
and  writes  to  data  memory.  Instructions  are  prefetched  and  stored  in  an 
instruction  queue  (IQ),  so  that  the  execution  unit  will  spend  less  time 
waiting  for  instructions  to  be  obtained  from  memory.  The  AU  also 
maintains  a  top-of-stack  register  (TS)  that  caches  the  memory  word 
corresponding  to  the  current  stack  pointer.  Words  that  are  pushed 
on  the  stack  are  stored  in  this  register  and  flushed  to  memory  wheii 
time  permits.  Similarly,  a  pop  instruction  can  use  the  contents  of  this 
register  without  waiting  for  memory;  while  this  is  happening,  the  TS 
register  is  refilled.  The  execution  unit  is  actually  in  charge  of  interpret¬ 
ing  the  instructions.  Our  specification  will  deal  mainly  with  properties 
of  the  AU  part  of  the  controller,  so  we  will  not  discuss  the  EU  in  de¬ 
tail.  We  now  turn  to  the  signals  used  by  the  AU  to  communicate  with 
its  environment.  Tliese  signals  will  be  used  when  we  give  the  formal 
specification  later. 

riie  access  unit  coinmnnicatt's  directly  with  the  execution  unit  via 
a  set  ol  «*ight  liiK's.  Four  run  from  the  execution  unit  to  tlie  access 
unit;  /jw.s7t,  pop.  fetch  and  branch.  These  signals  are  used  by  the  EU  to 
express  its  request  to  perform  the  indicated  operation.  The  p7i.sh  and 
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pop  signals  are  used  to  manipulate  the  stack,  and  the  fetch  signal  is  u^ed 
to  get  the  next  instruction  from  the  IQ.  The  EU  uses  the  branch  signal 
to  tell  the  AU  that  it  wants  to  execute  a  (conditional  or  unconditional) 
branch  and  that  the  instruction  queue  should  be  flushed  and  refilled 
starting  at  the  new  program  counter  (PC)  value.  Each  of  these  signals 
has  a  corresponding  acknowledgment  going  from  the  AU  to  the  EU: 
push-rdy,  pop-rdy,  fetch-rdy  and  branch-rdy.  When,  e.g.,  push  and 
push-rdy  are  both  high,  a  word  is  pushed  on  the  stack.  The  AU  may 
assert  these  ready  signals  before  the  EU  requests  the  corresponding 
operation;  they  are  used  by  the  AU  to  indicate  its  ability  to  perform 
the  indicated  action  immediately. 

The  access  unit  also  has  outputs  that  control  memory  reads  and 
writes,  and  that  go  to  elements  of  the  data  path  such  ais  the  PC  and 
TS  registers.  The  signals  mem-rd  and  mem-wr  are  set  high  to  indicate 
that  a  memory  read  or  memory  write  should  be  performed.  The  word  to 
be  placed  on  the  memory  address  lines  is  signaled  by  SP-to-mem-a  and 
PC-to-mem-a;  these  drive  the  stack  pointer  and  program  counter  onto 
the  address  lines,  respectively.  The  top  of  stack  register  is  driven  onto 
the  memory  data  lines  using  TS-to-mem-d .  Data  coming  from  memory 
can  be  gated  into  the  TS  register  or  into  the  IQ  via  mem-d-to-TS  and 
mem-d-to-IQ.  The  memory  signals  completion  of  a  requested  opera¬ 
tion  using  the  mem-ack  input.  To  execute  a  memory  cycle,  the  AU 
simultaneously  asserts  mem-rd  or  mem-wr  together  with  one  of  the 
signals  controlling  the  memory  address  bus.  When  writing,  it  also  «is- 
serts  TS-to-mem-d  to  drive  the  data  bus.  When  executing  a  read,  it 
directs  the  data  into  either  the  TS  register  or  the  IQ.  It  holds  these 
signals  until  mem-ack  is  asserted,  then  it  lowers  its  control  signals  and 
proceeds. 

.Machine  instructions  are  eight  bits  long,  and  two  are  packed  into 
each  sixteen  bit  machine  word.  The  IQ  holds  one  word  which  is  fetched 
from  an  even-aligned  address.  Hence,  when  an  instruction  correspond¬ 
ing  to  an  odd  program  counter  addre.ss  is  used  by  the  EU.  the  IQ  must 
he  refilled.  The  low  bit  of  the  program  counter,  /T’o,  is  available  tt) 
the  AI  so  that  it  can  detect  this  situation. 

The  model  of  the  CPU  controller  is  given  in  the  liardware  descrip¬ 
tion  language  CSML  (Compositional  State  Machine  Language)  [.32]. 
CSML  is  an  extension  of  the  SML  language  [14]  and  is  designed  to  sup- 
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port  the  modular  design  of  finite-state  controllers.  It  provides  a  module 
facility  to  augment  SML’s  procedural  description  constructs.  From  the 
point  of  view  of  our  verification  techniques,  the  important  feature  is 
that  its  output  is  a  series  of  Moore  machines,  one  per  state  machine 
in  the  design.  We  will  not  go  into  detail  on  all  the  facilities  of  CSML 
here.  Instead,  we  will  give  a  simple  example,  and  then  proceed  to  the 
CSML  code  for  the  AU. 

Figure  3.15  is  a  CSML  program  describing  a  system  composed  of 
a  producer  module  and  a  consumer  module  which  synchronize  using  a 
four-phase  handshake.  In  CSML  (as  in  SML),  raising  or  lowering  an 
externally  visible  signal  takes  one  time  step,  i.e.,  one  Moore  machine 
transition  occurs.  All  other  computation  takes  no  (external)  time.  The 
raise  and  lower  statements  are  used  to  set  and  reset  signals.  The 
control  constructs  such  as  while  and  loop  have  the  obvious  meanings. 
The  process  declarations  (starting  on  line  26)  actually  create  the  two 
Moore  machines  in  this  example.  A  processtype  (line  4)  is  used  to 
give  a  template  for  each  machine. 

We  now  turn  to  the  CSML  description  of  the  AU.  The  main  func¬ 
tions  of  the  AU  are  managing  the  TS  register  and  the  IQ.  The  top-of- 
stack  register  can  conceptually  be  in  one  of  three  states. 

1.  It  may  be  invalid,  in  which  case  the  EU  is  allowed  to  push  (store 
data  in  TS),  but  not  pop  (get  data  from  it). 

2.  It  may  be  valid,  meaning  that  the  data  in  TS  matches  what  is  in 
memory  at  the  address  indicated  by  the  SP.  In  this  case,  the  EU 
may  either  push  or  pop. 

3.  It  may  be  modified,  meaning  that  the  EU  has  placed  data  in  the 
TS  register  and  that  data  has  not  yet  been  copied  out  to  memory. 
In  this  case,  then  EU  is  allowed  to  pop,  but  it  cannot  be  allowed 
to  execute  a  push. 

The  transitions  between  these  states  arc  as  shown  in  the  state  transition 
diagram  in  figure  3.16. 

Part  of  the  AU  code  that  is  used  to  control  the  T.S  register  state 
is  shown  in  figure  3.17.  This  code  tells  how  the  state  changes  when 
the  EU  executes  a  push  or  pop.  The  compress  statement  (line  2)  is 
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1  program  prodcom 

2  output  produce , consume ; 

3  internal  req,ack; 

4  processtype  producer (request ,  acknowledge,  produce) 

5  input  request ; 

6  output  acknouledge«f alse,  produce=false; 

7  loop 

8  while  (Irequest)  do  loop  skip  endloop; 

9  raise(produce) ;  lower(produce) ; 

10  raise(acknowledge) ; 

11  while  (request)  do  loop  skip  endloop; 

12  lower(acknowledge) 

13  endloop 

14  endtype 

15  processtype  consumer (acknowledge,  request,  consume) 

16  input  acknowledge; 

17  output  request*false,  cons^lffle>f alse; 

18  loop 

19  raise(request) ; 

20  while  (! acknowledge)  do  loop  skip  endloop; 

21  raise (consume) ;  lower(consume) ; 

22  lower  (request); 

23  while (acknowledge)  do  loop  skip  endloop 

24  endloop 

25  endtype 

26  process  producerl:  producer(req,  ack,  produce); 

27  process  consumerl :  consumer(ack,  req,  consume) 

28  endprog 


Figure  3.15:  Producer-consumer  program  in  CSML 


94  CHAPTER  3.  COMPOSITIONAL  VERIFICATION,  PART  II 


popped 


Figure  3.16:  TS  state  transition  diagram 
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used  to  cause  all  the  state  changes  to  happen  in  one  external  time  step 
(one  Moore  machine  transition).  The  ts_st  variable  is  used  to  hold 
the  current  state  of  the  TS  register. 
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loop 

compress 

switch 

case  ((ts_st  **  valid)  I 
ft  push  ft  push.rdy: 
louer(push_rdy) ; 
raise(pop_rdy) ; 
ts_st  :=  modified: 
break; 

case  ((ts_st  =*  valid).! 
ft  pop  ft  pop_rdy: 
lower(pop_rdy) ; 
raise (push.rdy) ; 
ts_st  :»  invalid; 
break; 

default;  skip; 
endswitch 
endcompress 
endloop 


(ts.st  *=  invalid)) 


(ts_st  *=  modified)) 


Figure  3.17;  CSML  code  implementing  TS  control 

The  other  piece  of  code  responsible  for  setting  the  TS  state  is  the 
section  in  charge  of  memory  accesses.  This  section  is  shown  in  fig¬ 
ure  3.18.  The  second  and  third  elements  of  the  case  statement  examine 
the  state  of  the  TS  register.  If  it  is  invalid  (and  the  EU  is  not  trying 
to  execute  a  push),  then  the  AU  may  load  the  register  from  memory 
(line  12).  If  the  state  is  modified  (and  the  EU  does  not  want  to  pop), 
then  the  TS  contents  are  copied  to  memory  (line  21 ).  This  part  of  the 
code  is  also  responsible  for  pr(!fetching  instructions  (line  3). 

The  access  unit  also  manages  the  IQ.  This  is  done  in  a  similar 
manner  to  the  TS  register  control  (figure  3.17);  for  brevity,  we  omit  the 
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loop 

switch 

case  iq_st  invalid: 
compress 

lower(branch,rdy) ; 
read(pc_to_mem_a,  mem_d_to_iq) ; 
iq_st  :*  valid; 
raise (fetch.rdy) ; 
raise (branch^rdy) ; 
endcompress ; 
break; 

case  ts_st  ==  invalid  4  !push: 
compress 

lower(push_rdy) ; 
read(sp_to_mem_a,  mem_d_to_ts) ; 
ts_st  :»  valid; 
raise(push_rdy) ; 
raise(pop_rdy) 
endcompress ; 
break; 

case  ts_st  ==  modified  &  !pop: 
compress 

lower(pop_rdy) ; 

write(sp_to_mem_a,  ts_to_mem_d) ; 
ts_st  :=  valid; 
raise(push_rdy) ; 
raise (pop_rdy) 
endcompress ; 
break; 

default;  skip; 
endswitch 
endloop 


Figure  3.18:  CSML  code  for  controlling  memory  acces.ses 
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actual  code.  Altogether,  the  AU  is  composed  of  these  three  threads  of 
control  (TS  and  IQ  managers,  and  memory  access  manager)  running  in 
parallel.  When  processed  by  the  CSML  compiler,  the  result  is  a  Moore 
machine  with  thirteen  states. 

The  execution  unit  is  more  complex;  it  essentially  consists  of  a  large 
case  statement,  with  one  case  per  instruction.  We  will  not  give  the 
code  here,  but  it  compiles  into  a  Moore  machine  with  98  states.  The 
combined  CPU  controller,  plus  a  two  state  memory  model,  is  a  Moore 
machine  with  1077  states. 

We  now  give  a  formal  specification  of  the  AU  in  ACTL.  A  formal 
specification  of  the  EU  will  not  be  given;  it  would  consist  of  a  large 
number  of  cases  (one  per  instruction).  To  begin,  we  will  define  a  few 
abbreviations  that  will  be  used  throughout  the  formulas  here.  The  first 
ones  are  used  to  say  that  a  push,  pop,  fetch  or  branch  has  occurred. 
Each  of  them  is  a  conjunction  of  an  EU  request  signal  and  an  AU 
acknowledge  signal. 

pushed  =  push  A  push-rdy 
popped  =  pop  A  pop-rdy 
fetched  =  fetch  A  fetch~rdy 
branched  —  branch  A  branch-rdy 

The  next  three  tell  when  the  IQ  is  being  loaded  and  when  the  TS 
register  is  being  loaded  or  stored  into  memory.  For  example,  the  IQ  is 
being  loaded  when  the  PC  is  being  driven  onto  the  memory  data  bus, 
the  AU  is  reading  from  memory,  and  the  data  from  memory  is  being 
gated  into  the  IQ. 

TS-load  =  mem-rd  A  SP-to-mem-a  A  mem-d-to-TS 
TS-store  —  meni-wr  A  SP-to-mem-a  A  TS-to-mern-d 
IQ-lond  =  mem-rd  A  PC-to-mem-a  A  mem-d-to-IQ 

riie  last  one  states  that  the  final  instruction  in  the  IQ  has  just  been 
fetched. 

IQ-cmplied  =  fetched  A  PC’o 

The  first  chiss  of  formnhis  are  some  basic  safi'ty  properties  of  the 
access  unit.  They  require  that  the  AU  not  issue  spurious  reads  and 
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writes,  and  that  each  memory  access  be  an  IQ  or  TS  load,  or  a  TS 
store. 


AG{ SP-to-mem-a  — »  TS-loadV  TS-stotr)  (3.1) 

AG{mem-d-to-TS  — ♦  TS-load)  (3.2) 

AG{  TS-to-mem~d  —*  TS-store)  (3.3) 

AG{PC-to-meTn-a  —*  IQ-load)  (3.4) 

AG{mem-d~to-IQ  — ►  IQ-load)  (3.5) 

AG( mcm-rd  — >  TS~load  V  IQ-load)  (3.6) 

AG(mem-u;r  — ♦  TS-store)  (3.7) 


V/e  also  cannot  allow  multiple  memory  accesses  to  be  attempted  at  the 
same  time.  The  AU  should  not,  e.g.,  drive  both  mem-rd  and  mem-wr 
high  at  the  same  time. 

AG(-< TS-load  V  -'TS-store)  (3.S) 

AG(-' TS-load  V -‘IQ-load)  (3.9) 

AG(-'TS-store  V -‘/Q-load)  (3.10) 

Next,  we  require  that  if  the  AU  requests  a  memory  operation,  then 
it  must  continue  to  request  that  operation  until  it  receives  an  acknowl¬ 
edgment.  That  is,  memory  requests  cannot  be  aborted  in  mid-cycle. 
We  can  express  this  using  the  V  operator:  mem-ack  will  releiise  the 
requirement  that  the  load  or  store  signals  remain  stable. 

AG(  TS-load  — »  A(  mem-ack  V  TS-load) )  (3.11) 

AG{TS-store  — ♦  A{mern-ack  V  TS-store))  (3.12) 

AG{IQ-load  A{jnem-ack  y  IQ-load))  (3.13) 

Also,  the  access  unit  should  not  offer  the  Eli  the  chance  to  push,  pop 
fetch  or  branch  while  a  memory  cycle  that  might  interact  with  the  op¬ 
eration  is  going  on.  (These  requirements  ensure,  e.g..  that  the  address 
being  driven  onto  the  memory  address  bus  does  not  rh;ing<’. ) 

AG(  TS  -load  V  TS-store  —*  -‘pu.sh-rdy  A  -‘pop-rdy)  (3.1  1) 
AG{ IQ-load  -’fetch-rdy  A  -’branch-rdy)  (3.15) 
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The  next  set  of  properties  are  used  to  check  that  the  operations 
allowed  by  the  access  unit  on  the  TS  register  follow  the  state  transition 
diagram  given  in  figure  3.16.  Note  that  when  the  state  of  the  TS 
register  is  valid,  then  either  a  push  or  a  pop  is  legal.  Also,  while  the 
actual  AU  does  not  load  or  store  the  top-of-stack  in  this  state,  doing 
so  would  not  cause  an  error.  Hence,  we  impose  no  constraints  on  the 
actions  performed  while  TS  is  valid.  Next,  consider  the  invalid  state. 
This  stale  is  entered  when  a  pop  operation  is  executed.  Starting  from 
this  state,  we  cannot  allow  another  pop,  and  we  cannot  store  the  TS 
register  into  memory.  The  TS  register  will  cease  to  be  invalid  after 
the  TS  register  is  loaded  from  memory,  or  after  the  EU  pushes  a  word 
on  the  stack.  Thus,  we  want  to  express  “after  a  pop,  no  pop  or  TS 
store  can  occur  until  after  a  TS  load  or  a  push.”  This  is  done  with  the 
following  formula: 

AG( popped  —*  AX  A((  TS-load  A  mem-ack)  V  pushed 

Y  -'pop-rdy  A -<TS-stQre)).  (3.16) 

The  TS  register  should  also  start  out  in  the  invalid  state,  so  we  obtain 
the  related  requirement: 

A((  TS-load  A  mem-ack)  V  pushed  V  -^pop-rdy  A  -^TS-load).  (3.17) 

If  the  TS  register  is  in  the  modified  state  (cis  the  result  of  a  push),  then 
both  pushes  and  TS  loads  are  illegal.  The  TS  register  state  should  onlv 
change  when  a  pop  occurs,  or  when  the  TS  register  contents  are  stored 
into  memory.  We  express  this  requirement  with  the  formula: 

AG{ pushed  — »  AX  A((  TS-store  A  mem-ack)  V  popped 

V  -<pu.sh-rdy  A -'TS-load)).  (3.18) 

We  now  turn  to  requirements  for  how  the  IQ  is  managed.  The  IQ 
can  be  in  one  of  two  states:  valid,  indicating  that  there  is  a  valid  in¬ 
struction  in  tlie  (|ueue  waiting  to  be  fetched;  and  invalid,  indicating 
that  there  is  no  such  instruction.  Figure  3.19  shows  the  possible  transi¬ 
tions  between  these  states.  When  the  IQ  is  in  the  valid  slate,  we  have 
no  constraints  on  fetches.  The  IQ  state  changes  to  invalid  when  either 
a  fetch  from  the  la.st  location  in  the  queue  or  a  branch  occurs.  From 
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IQ-load  A  mem-ack 


IQ-emptied  V  branched 


Figure  3.19:  IQ  state  ‘rapsition  diagram 

the  invalid  state,  no  additional  fetches  can  be  allowed  until  the  IQ  is 
loaded  from  memory.  Thus,  we  have  the  requirement: 

AG{  IQ-emptied  V  branched 

—*  A\  A( IQ-load  A  mem-ack  V  -^fetch-rdy)).  (3.19) 

The  IQ  also  starts  in  the  invalid  state,  so  we  also  have  the  related 
formula: 

A{  IQ-load  A  mem-ack  V  -'feich-rdy).  (3.20) 

Note  that  all  of  the  above  properties  are  safety  properties;  none 
of  them  make  any  guarantees  that  progress  will  occur.  The  following 
formulas  are  used  to  specify  that  pushes,  pops,  fetches,  and  branches 
always  complete. 


AG{push  — »  AF  pushed) 

(3.21) 

AG  {pop  — ►  AF  popped) 

(3.22) 

AG{felch  — >  AF  fetched) 

(3.23) 

AG(branch  — +  AF  branched) 

(3.21) 

Finally,  we  check  that  the  controller  continually  fetches  new  instruc¬ 
tions: 

AG  AF  fiArhrd  (3.25) 

We  u.sed  a  BDD-l)ased  model  checker  to  verify  that  the  system  com- 
pusetl  of  the  Al'  and  EIJ  satisfied  the  above  s[jerifiration  (with  some 
weak  assumptions  about  how  the  memory  behaves).  The  basic  safety 
|)roperties  (formulas  3.1  through  3.1-5)  were  rht'cked  using  the  AT  alone. 
As  an  e.xample,  for  formula  3.1  we  verified: 

{) M\{j{AG(SP-lo-mem-a  — >  TS-load  y  TS-store)). 
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where  Mav  is  the  structure  representing  the  Moore  machine  for  the 
AU.  This  implies  that  every  system  that  can  be  constructed  using  the 
AU  satisfies  this  particular  formula. 

VVe  also  tried  using  just  the  AU  to  verify  some  of  the  more  complex 
properties  such  as  formulas  3.16  and  3.18.  All  of  the  formulas  failed  to 
check,  so  we  examined  the  error  traces  produced  by  the  model  checker 
to  try  to  determine  the  cause  of  the  failure.  In  all  of  the  traces,  the 
inputs  from  memory  were  not  behaving  as  we  would  have  expected 
in  a  real  system.  In  particular,  the  memory  acknowledgment  signal 
sometimes  went  high  when  there  was  no  pending  request.  We  therefore 
constructed  a  model  of  how  the  memory  was  supposed  to  behave.  This 
model,  which  we  denote  by  Mmemi  is  shown  in  figure  3.20.  The  figure 
depicts  a  Moore  machine;  the  actual  model  used  is  the  corresponding 
structure. 


With  this  model  of  the  memory  as  an  assumption,  all  of  the  formulas 
3.17  through  3.20  are  true.  So,  for  example,  we  have; 

(Miiem)MAU  (A(  iS-load  A  mem-ack  V  pushedY  -‘pop-rdy  f\  ->TS-load)). 

The  specification  given  by  3.16  remains  false  however.  Upon  examining 
the  error  trace,  we  find  a  situation  where  both  the  push-r^q  and  pop-rcq 
signals  become  true  simultaneously,  i.e.,  the  EU  attempts  both  a  push 
and  a  pop  at  the  same  time.  This  behavior  is  obviously  illegal,  .so  we 
make  another  assumption  to  eliminate  it: 

A.G(-'pn.sh.-rrq  V  -'pop-rrq).  (3.26) 

With  this  assumption  plus  the  a.ssumption  M,„e,„,  formula  .3.16  becomes 
true. 
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The  only  remaining  properties  to  be  checked  are  the  progress  prop¬ 
erties,  plus  the  assumption  3.26.  First,  we  note  that  in  order  to  be  able 
to  ensure  progress,  the  memory  must  be  guaranteed  to  respond  to  re¬ 
quests  eventually.  Consequently,  we  strengthen  our  assumption  about 
the  memory’s  behavior  by  adding  acceptance  conditions 

GF(mem-rd  A  ->mem-wr  — >  mem-ack) 


and 


GF(mem-«jr  A  ->mem-rd  — »  mem-ack). 


If  we  now  try  to  check  that  the  AU,  plus  our  assumption  about  the 
memory,  satisfies  the  formulas  3.21  through  3.24,  we  find  that  it  does 
not.  The  reason  is  that  the  EU  may  make  a  request  and  then  immedi¬ 
ately  remove  it  without  giving  the  AU  time  to  act.  V'e  make  additional 
assumptions  about  the  EU’s  behavior  to  eliminate  these  possibilities. 


AG{pusk-req  —>■  A{pushed  V  push-req))  (3.27) 

AG{pop-req  A{popped  V  pop-req))  (3.28) 

AG{fetch-req  — »  A{fttched\ fetch-req))  (3.29) 

AG{branch-req  —*  A{branched  V  branch-req))  (3.30) 


We  now  attempt  to  verify  property  3.21  for  the  AU.  the  memory  model, 
and  the  assumption  3.27.  Again,  the  formula  turns  out  to  be  false;  in 
this  case,  the  problem  is  the  EU  issuing  simultaneous  requests.  Ear¬ 
lier,  we  used  an  assumption  that  push  and  pop  requests  were  mutually 
exclusive  (formula  3.26).  We  strengthen  this  assumption  so  that  it 
states  that  every  pair  of  operations  requested  by  the  EU  must  be  mu¬ 
tually  exclusive.  The  weaker  assumption  can  be  discharged  using  the 
stronger  one;  we  simply  check  semantic  implication  bet\v«'en  the  two 
formulas.  Now  using  the  AU,  the  memory  model,  the  assumption  3.27. 
and  the  mutual  exclusion  assumption,  we  are  finally  able  to  verify  for¬ 
mula  3.21.  Similarly,  we  can  verify  each  of  the  other  liveness  properties 
(through  3.24). 

Now  we  have  to  check  the  final  liveness  property  (3.2.'")),  plus  the 
iussumptions  that  we  made  about  the  behavior  of  the  EU.  The  .issump- 
tions  about  the  behavior  of  the  EU  can  be  checked  using  just  the  EU,  so 
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we  successfully  discharge  them.  As  for  formula  3.25,  there  are  two  ap¬ 
proaches  that  we  could  use.  The  first  would  be  to  make  some  additional 
assumptions  about  the  EU  and  check  the  property  using  the  AU  and 
these  assumptions.  We  would  need  to  know  that  the  EU  does  not  fetch 
an  instruction  and  then  execute  an  infinite  sequence  of  pushes,  pops,  or 
branches.  To  express  this,  we  could  build  an  abstract  model  of  the  EU 
such  as  the  one  shown  in  figure  3.21.  This  figure  shows  a  Moore  ma¬ 
chine,  but  the  actual  model  would  be  the  corresponding  structure  plus 
the  indicated  acceptance  condition.  In  the  figure,  push-req  has  been 
abbreviated  to  push,  etc.,  and  idle  indicates  that  push-req,  pop-req, 
fetch-req,  and  branch-req  are  all  low. 


->push-rdy  ->branch-rdy 


Figure  3.21:  Execution  unit  model 

The  other  possibility  would  be  to  try  to  check  the  property  on  the 
EU.  In  thi.s  ca.se,  we  would  need  to  know  that  pii.shes,  pops,  etc.,  even¬ 
tually  complete.  However,  we  liave  already  verified  these  conditions  in 
properties  3.21  through  3.24.  Using  these  properties  as  assumptions 


104  CHAPTER  3.  COMPOSITIONAL  VERIFICATION,  PART  II 


together  with  the  EU  is  indeed  sufficient  to  prove  AG  AF  fetched.  In 
summary  then,  we  have  managed  to  verify  all  of  the  properties.  The 
more  complex  parts  of  the  specification  required  us  to  make  an  tis- 
sumption  about  how  the  memory  behaved.  Given  an  actual  memory 
system  design,  we  would  need  to  check  that  our  model  of  the  memory 
(figure  3.20,  plus  an  acceptance  condition)  could  in  fact  simulate  the 
design. 

3.7  Summary 

We  have  provided  a  way  of  doing  assume-guarantee  style  reasoning  in 
the  context  of  ACTL  model  checking.  In  order  to  do  this,  we  first  made 
explicit  the  important  notion  behind  theorem  2.2:  that  of  simulation. 
Simulation  is  a  natural  relationship  between  implementation  and  spec¬ 
ification.  It  leads  directly  to  the  ability  to  do  hierarchical  verification: 
specifications  at  one  level  become  “implementations”  at  the  next.  By 
examining  how  simulation  relates  to  composition,  we  were  able  to  give 
methods  for  compositional  and  assume-guarantee  style  reasoning.  How¬ 
ever,  we  already  had  one  notion  of  satisfaction  of  a  specification,  (=.  Via 
a  tableau  construction,  we  proved  that  satisfaction  of  ACTL  formulas 
corresponds  directly  to  simulation.  This  link  gives  us  great  flexibility 
as  to  our  specification  methodology  when  performing  assume-guarantee 
proofs  or  doing  hierarchical  rejisoning.  We  demonstrated  these  ideas 
by  verifying  some  properties  of  the  controller  for  a  simple  stack-based 
CPU.  Further,  the  general  framework  discussed  in  section  3.2  can  be 
used  to  construct  assume-guarantee  .style  reasoning  systems  based  on 
other  temporal  logics. 


3.8  Technical  Details 

In  our  framework,  specifications  and  assumptions  can  be  given  as  either 
formtdas  or  structures.  In  the  latter  case,  however,  we  need  methods  for 
automatically  checking  whether  one  structure  simulates  another  one: 
that  is  the  subject  we  now  consider.  We  describe  two  special  ca,se 
methods  that,  in  practice,  cover  most  of  the  Ccises  that  arise.  Further, 
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these  special  case  methods  are  generally  much  more  efficient  than  a 
fully  general  algorithm. 

We  have  already  seen  one  method;  when  we  are  given  that  the 
structure  M'  is  the  tableau  for  a  formula  we  can  check  M  ■;<  M' 
by  verifying  M  ^  using  the  standard  model  checking  algorithm  for 
ACTL.  While  the  model  checking  algorithm  can  detect  when  Af  ^  M', 
this  fact  alone  is  not  very  useful;  rather,  we  would  like  to  demonstrate 
explicitly  why  this  is  the  case.  That  is,  we  want  to  produce  a  coun¬ 
terexample  illustrating  why  the  formula  is  false.  Consider  the  problem 
of  demonstrating  why  ip  is  false  at  the  state  s.  We  break  the  task  into 
cases  based  on  the  top-level  operator  of  p. 

1.  If  1,5  is  an  atomic  formula  (or  the  negation  of  an  atomic  formula), 
we  can  just  say  why  it  is  inconsistent  with  the  labeling  of  s. 

2.  If  p  has  the  form  A  Xi  then  at  least  one  of  ?/>  and  x  must  be 
false  at  s.  We  call  the  counterexample  procedure  recursively  for 
the  appropriate  subformula.  Dealing  with  disjunctions  V  x  is 
similar,  but  we  have  to  demonstrate  that  both  ^  and  x  are  false 
at  s. 

3.  \i  p  =  AX0,  then  we  find  a  successor  si  of  s  =  sq  that  is  the 
start  of  some  path  and  for  which  xlx  is  false  at  si.  (The  states 
that  are  the  start  of  a  path  can  be  found  using  a  standard  fixed 
point  computation.)  We  display  the  “path”  (actually  the  prefix 
of  a  path)  .sosi  . . .  and  then  show  why  si  does  not  satisfy  xp. 

4.  When  p  has  the  form  A{xp  V  x),  then  there  must  be  a  path 
50^152  •  •  •  starting  at  s  =  5o  for  which: 

(a)  X  is  false  at  some  and 

(b)  for  all  j  <  i,  j/’  is  false  at  Sj. 

Starting  from  sq,  we  search  forward  to  find  such  a  path.  We  will 
compute  a  series  of  sets  P,  where  P,  represents  the  search  frontier 
after  stepping  forwards  i  times.  VV^e  begin  with  Pq  =  {so}-  After 
computing  P,,  we  see  whether  there  are  any  states  in  P,  that  are 
the  start  of  some  path  and  that  do  not  satisfy  x-  If  so,  then 
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we  have  found  one  (or  perhaps  several)  s,  satisfying  condition  4a 
above.  We  select  one  such  s,;  now  we  must  back  up  to  produce  a 
path  to  So-  We  see  which  states  in  P,_i  can  reach  s,  in  one  step. 
Now  is  chosen  from  these  states,  and  we  proceed  backwards 
until  we  eventually  reach  Sq. 

Suppose  now  that  every  state  in  Pi  satisfies  x-  this  case,  we 
must  search  forward  another  step.  However,  we  also  need  to  be 
sure  that  we  do  not  pass  through  a  state  satisfying  ilf.  Thus,  we 
let  Q,  be  the  states  in  P,  that  do  not  satisfy  0.  We  then  define 
P.+i  to  be  the  states  reachable  by  stepping  forwards  once  from  Q,. 

The  above  procedure  gives  us  a  (prefix  of  a)  path  soSj  . .  .s,  . . . 
where  s,  does  not  satisfy  x  and  each  Sj  for  j  <  t  does  not  sat¬ 
isfy  0.  We  display  this  prefix,  then  call  the  counterexample  facil¬ 
ity  recursively  to  thow  why  0  is  false  at  the  Sj  (j  <  i)  and  why 
\  is  false  at  Sj. 

5.  The  most  interesting  case  is  for  formulas  of  the  (orm  A{t’  U  \). 
Such  a  formula  may  be  false  for  one  of  two  recisons. 

(a)  There  may  be  a  path  S0S1S2 . . .  from  s  =  sq  such  that  ip  is 
false  at  some  Si,  and  for  all  j  <  i,  x  is  false  at  Sj.  We  can 
determine  whether  there  is  such  a  path  (and  if  so,  display 
it)  using  the  same  techniques  as  above. 

(b)  There  may  be  a  path  SoSjSi . . .  from  s  =  sq  such  that  \  is 
false  at  every  state  on  this  path.  (That  is,  the  eventuality  is 
never  fulfilled.)  This  is  the  case  we  now  consider. 

Obviously,  we  cannot  construct  or  display  arbitrary  infinite  paths. 
Instead,  we  will  find  finite  sequences  of  states  ttq  and  tT]  such  that 
(^0  followed  by  infinite  repetitions  of  Tj)  is  a  path  from  s 
satisfying  these  constraints.  We  can  then  display  ttq  and  and 
show  why  \  is  false  at  every  state  appearing  in  tt,)  or  X]. 

The  question  now  is  how  to  find  such  a  pair  of  setpiences.  We 
will  do  this  by  trying  to  find  a  fnir  strongly  rontifctrd  romponrul 
( FSCC).  A  strongly  connected  component  (SCC)  is  a  sot  of  states 
where  each  state  in  the  set  can  reach  every  other  state  in  the  set 
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via  the  transition  relation.  For  every  state,  there  is  some  SCC 
that  contains  it  (a  singleton  set  is  an  SCC),  and  there  is  a  unique 
maximal  SCC  (under  the  set  inclusion  ordering)  containing  the 
state.  An  SCC  is  fair  if  it  contains  some  path  that  stays  entirely 
within  the  SCC.  We  only  want  to  consider  states  where  there  is 
an  infinite  path  along  which  x  is  false,  so  we  first  eliminate  all 
states  not  satisfying  EG  -’x  fiom  the  structure.  (Note  that  s  is 
in  the  result.)  Next,  we  compute  the  maximal  SCC  C  containing 
s.  We  then  check  to  see  whether  C  is  an  FSCC  (this  can  be  done 
using  a  standard  fixed  point  computation).  If  it  is  not,  then  since 
s  is  the  start  of  some  path  along  which  x  is  false,  we  know  that 
there  must  be  a  sequence  of  transitions  from  s  leading  out  of  C 
to  a  slate  s'  that  satisfies  EG  ->x.  We  then  find  the  maximal 
SCC  containing  s',  test  if  this  SCC  is  an  FSCC,  and,  if  necessary, 
repeat  the  process.  Eventually,  we  must  find  a  state  reachable 
from  s  for  which  the  maximal  SCC  is  an  FSCC.  The  sequence 
of  transitions  from  s  to  this  state  gives  us  ^o,  the  prefix  of  the 
infinite  path  that  we  are  constructing. 

Now  we  need  to  find  a  loop  within  the  FSCC  such  that  each  pair 
{P,  Q)  in  the  acceptance  condition  is  satisfied  along  this  loop.  Re¬ 
call  that  Q  represents  the  “infinitely  often”  part  of  the  constraint. 
Let  C  denote  the  FSCC  and  without  loss  of  generality,  a.ssume 
that  C  is  the  SCC  for  s.  Let  us  first  consider  the  case  where  for 
every  pair  in  the  acceptance  condition,  Q  intersects  C .  In  this 
case,  we  can  simply  choose  a  state  from  each  intersection,  visit 
these  states  in  some  order,  and  then  return  to  s.  The  result  is 
a  loop  containing  s  along  which  some  state  in  each  Q  is  visited. 
If  we  let  TT^  be  the  sequence  of  states  encountered  in  going  once 
around  this  loop,  then  clearly  tt"  is  a  path.  Further,  we  restricted 
ourselves  earlier  to  those  states  satisfying  EG-<\,  so  we  have 
found  a  path  along  which  x  remains  false. 

Suppose  now  that  for  some  of  the  pairs  (P,Q)  in  the  acceptance 
condition,  Q  does  not  intersect  C.  In  order  to  satisfy  such  a  pair, 
we  must  have  a  loop  where  each  state  on  the  looj)  is  in  P.  Since  .s 
may  not  be  in  P,  we  cannot  necessarily  find  a  loop  containing  .s. 
Thus,  we  may  have  to  extend  the  prefix  itq.  Our  goal  will  be  to 
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find  an  FSCC  C  within  C  H  P,  then  append  a  segment  to  tto 
that  takes  us  from  s  to  CL  Then  we  will  find  a  loop  within  C; 
note  that  this  entire  loop  will  have  to  be  in  P.  Thus,  we  can 
eliminate  {P,Q)  from  consideration.  Eventually,  we  will  either 
eliminate  all  pairs  (in  which  case  any  loop  will  satisfy  all  of  the 
“almost  always”  conditions),  or  we  will  be  able  to  satisfy  all  of  the 
remaining  pairs  using  the  “infinitely  often”  parts.  To  find  C,  we 
let  D  be  the  intersection  of  C  with  P  and  then  determine  which 
states  in  D  are  the  start  of  a  path  that  stays  entirely  within  D. 

Let  D'  be  these  states;  we  restrict  our  attention  only  to  D'.  VVe 
choose  one  of  these  states,  and  then  find  its  SCC  (within  D').  If 
this  SCC  is  an  FSCC,  we  have  found  C.  Otherwi.se.  we  simply 
choose  a  different  state  of  D'. 

The  other  situation  that  arises  most  often  in  practice  is  for  M'  to  be 
deterministic.  By  this,  we  intuitively  mean  that  there  is  no  state  which 
has  transitions  to  two  successors  with  the  same  labeling.  (However, 
note  that  there  may  be  multiple  states  with  the  same  labeling.) 

Definition  3.8  M  is  deterministic  if: 

1.  For  all  So  and  Si  in  I  (with  sq  ^  ^i),  L{so)  ^  L{si). 

2.  For  all  s  €  5,  if  R{s,So)  and  R{s,si)  (with  sq  ^  Sj),  then  L{so) 

L(s,). 

When  M'  is  deterministic,  given  states  s  and  s'  and  a  path  tt  from  s, 
there  is  only  one  possible  path  from  s'  that  could  correspond  to  tt.  Thus, 
in  this  Ccise,  :<  essentially  corresponds  to  uj-language  containment. 

Definition  3.9  The  language  of  M,So  over  a  set  of  observable  state 
components  A'  C  A  (denoted  by  A{M,So,A'))  is  the  set  of  sequences 
of  labelings  occurring  on  paths  starting  from  Sq. 

A(M.so,  A')  =  {  /0/1/2  •  ••  I  5os,S2  ...  is  a  path,  Vi/,  =  L(s,)  J.  /\' } 

(Recall  that  L(s,)  J,  A'  denotes  f/(s,)  with  its  domain  restricted  to  .1'.) 

VVe  write  >l(s.  A')  when  M  is  understood.  The  language  of  .V/  is  the  ? 

union  of  the  languages  for  all  of  its  initial  states. 

AiM,A')  =  \jA{M,s,  A'). 

s€l 
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Proposition  3.3  We  have  the  following  relationship  between  language 
containment  and  simulation: 

1.  If  M  A/',  then  A{M,A')  C  A{M',A')  and  for  every  s  €  /, 
there  is  some  s'  £  /'  such  that  Z,(s)  |  A'  =  L'(s'). 

2.  Suppose  A{M^A')  C  A{M\A')^  A/'  is  deterministic,  and  for  ev¬ 
ery  s  £  I,  there  is  some  s'  £  /'  such  that  L(s)  i  A'  =  L'{s')\  then 
M  -<  M'. 

The  above  relationship  means  that  when  M'  is  deterministic,  we 
can  check  ■<  by  basically  checking  for  language  containment.  This  can 
be  done  in  polynomial  time  using  standard  techniques  [26). 

Proof  Assume  M  ■<  A/'.  Let  ir  =  so.SiS2...  be  a  path  from  sq  £  I 
in  M .  There  must  exist  a  path  tt'  =  .So^'jSj . ..  from  some  Sq  £  /'  in  M' 
for  which  s,  X  s'  for  all  i.  Since  s^  ■<  s';,  we  have  L(s;)  i  A'  =■  L'{s\). 
Hence  the  sequences  of  labelings  corresponding  to  tt  and  ir'  are  the 
same,  and  so  A[M,A')  C  A{M\A').  Obviously,  for  every  s  €  /,  there 
is  some  s'  €  /'  such  that  s  •<  s',  and  hence  L{s)  [  A'  =  L'{s'). 

Suppose  A{M,A')  C  A{M',A')  and  that  Af'  is  deterministic.  Let 
C  be  the  relation 

{  (s, .«')  !  /:(.s)  I  4'  ^  L'(s')  A  Ah  A')  C  Ah'-  A')  }■ 

We  show  that  C  is  a  simulation  relation;  suppose  s  C  s'.  By  definition, 
■s  and  s'  agree  on  the  labels  of  state  components  in  A'.  Let  tt  =  .sysisj  . . . 
be  a  path  from  s  =  sq  in  M .  Since  >I(s,  A')  C  >l(s',  A'),  there  is  a  path 
7r'  =  Sos',s'2...  from  s'  =  sj,  for  which  the  labelings  on  the  two  paths 
(with  respect  to  A')  agree.  Since  >I(so,  A')  C  .4(so,  .4')  and  A/'  is 
deterministic,  >il(si.  A')  C  >4(.s',,A').  Also,  Lhi)  i  d'  =  L'(s\)]  hence 
Si  C  s',.  Applying  the  above  argument  inductively,  we  find  s,  C  s'  for 
all  i. 

Suppo.se  now  s  £  I.  By  hypothesis  and  the  fact  that  A/'  is  deter¬ 
ministic,  there  is  a  unitjue  s'  £  /'  such  that  L{s)  i  A'  =  L'(s').  If  there 
is  no  path  starting  at  .s.  then  clearly  .s  X  .s'.  If  there  are  paths  from  s. 
then  A(M,A')  C  A(M\A')  implies  that  v4(s.  A')  C  >I(s',A').  Then 
s  C  s',  and  so  s  s'.  Thus  in  all  cases,  s  ■<  s',  and  so  M  :<  Af'.  □ 
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We  now  turn  to  some  of  the  proofs  that  were  previously  deferred. 
First,  we  note  that  the  composition  operation  for  structures  is  commu¬ 
tative  and  associative. 

Theorem  3.7  Let  M,  M'  and  M"  be  structures.  Then  M  ||  M'  is 
isomorphic  to  M'\\M .  Also  M\\{M'\\M")  is  isomorphic  to  (M\\M')\\M" . 

Proof  For  commutativity,  it  is  easy  to  see  that  the  map  taking  the 
state  (s,s')  of  the  former  to  (s',s)  of  the  latter  preserves  initial  states, 
transitions,  labelings,  and  acceptance  conditions,  and  hence  is  an  iso¬ 
morphism. 

For  associativity,  let  Mq  =  (M  ||  A/')||  M"  and  Mi  —  M  ||  (M'\\  M"). 
Let  4)  be  the  map  taking  ((s,s'),s")  to  (s,(s',s")).  In  order  to  show 
that  this  is  a  bijection,  we  need  to  prove  that  [[s,s'),s")  is  a  valid  state 
of  Mq  iff  (s,  (s',  s"))  is  a  valid  state  of  Mi.  Assume  ((s,s'),s")  €  Sq. 
To  show  (s,(s', s"))  G  5|,  we  must  first  prove  that  [s',s")  is  a  state 
of  M'  II  M" .  If  (s',s")  is  not  a  state  of  M'  ||  M",  then  there  must  be 
some  state  component  n'  in  A'  O  A"  such  that  L'{s',a')  ^  L"{s",a'). 
Now  consider  the  labeling  of  {s,s')  in  M  ||  .V/'.  This  state  must  have 
labeling  L'{s',a')  on  the  state  component  a'.  Hence  ((.s,s'),s")  coiiltl 
not  be  a  state  of  Mq,  a  contradiction. 

We  now  know  that  (s', s")  is  a  state  of  M'  ||  M".  If  (s,(s',s"))  is 
not  in  S\,  then  there  is  some  state  component  a  such  that  the  labeling 
of  s  and  the  labeling  of  (s',s")  disa.gree  on  this  label.  This  state  com¬ 
ponent  a  must  be  in  one  of  A'  or  A"',  let  us  suppose  it  is  in  .A'.  The 
'abeling  of  (s',s")  on  a  is  then  the  same  as  the  labeling  of  s'  on  a.  As 
a  result,  we  have  L{s,a)  L'{s',a),  and  hence  (s,s')  is  not  a  state  of 
M  II  iV/'.  This  means  that  ((s,s'),s")  is  not  a  state  of  Mq,  a  contradic¬ 
tion.  .Similarly,  we  obtain  a  contradiction  if  a  is  in  A"  instead  of  A'. 
Thus,  we  conclude  that  (s,(.s',s"))  must  indeed  be  a  state  of  Af, . 

Now  that  we  know  0  is  a  bijection  between  the  states  of  Mq  and  .Mi, 
it  is  easy  to  see  that  initial  states,  transitions,  labelings,  and  acceptance 
conditions  are  pre.served.  Thus,  <f)  is  in  fact  an  isomorphism  between 
the  structures.  □ 

Wi-  al.so  prove  that  the  composition  operation  on  structures  cm- 
responds  to  the  composition  operation  on  Moore  machines  (prop»)si- 
tion  .3.1). 
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Proof  VVc  are  given  composable  Moore  machines  M  and  M',  and 
we  'vant  to  know  that  struct{AI  )|  M')  is  isomorphic  to  struct{M)  || 
struct{M').  Let  M"  =  M  ||  M',  and  define  <t>  by; 

First  note  that  (s,  f'’Li{L'{s')  i  Ai))  is  a  state  of  struct{M),  and  that  its 
labeling  is  compatible  with  the  state  {s' ,  f'*U{L(s)  I  A'/))  of  struct(M'); 
hence  0  is  a  well-defined  mapping  between  the  two  sets  of  states.  It  is 
clearly  an  injection.  Given  a  state  {{s,  f),{s',  /'))  o(  the  composition  of 
the  structures,  if  we  let  f"  =  f  [  A'}  =  f  I  A'l^  then  we  obtain  a  state 
of  struct!  A/")  mapping  to  ((s, /),  (s', /'));  hence  is  a  bijection. 

<j>  obviously  preserves  labelings  and  initial  states,  and  the  accep¬ 
tance  conditions  of  both  structures  are  empty.  If  ((so,  Sq),  /q  )  can  tran¬ 
sition  to  ((S| ,  s', ), /,")  in  .strurt(.V/"),  then  /?"((so, sj,), /q,  (sj , s',)).  This 
implies  /?(so,/o  U  (L'(s(,)  i  /l/j.s,)  and  /?'(so,/^'  U  (L(so)  i  A',),s'^). 
Now  (so,  Jq  U  {L'{s'q)  J,  A/)}  is  a  state  of  st.ntct{M)  that  can  transi¬ 
tion  to  (si,/,"  U  (  L'{s'^)  ],  ,4/)).  and  similarly  U  (L(so)  i  -4'/))  can 

transition  to  (s',  ,/,"U  (L(si)  [  A'j)).  Hence  4>{({so,»'q).,  fo))  can  transi¬ 
tion  to  0(((si,s',), /,")).  A  similar  argument  shows  that  transitions  in 
struct{M)  II  struct(Af')  are  also  transitions  in  struct{M").  Thus,  <p  is 
an  isomorphism.  □ 

VVe  next  return  to  the  proofs  of  theorems  3.1  through  3.4.  Recall 
that  the  first  of  these  states  that  ^  is  the  largest  simulation  relation 
under  the  set  inclusion  ordering. 

Proof  F  irst,  we  show  that  ■<  is  in  fact  a  simulation  relation.  Suppose 
s  ■<  s'.  Hence,  there  exists  some  C  that  is  a  simulation  relation  and 
for  which  s  C  .s'.  Since  C  is  a  simulation  relation,  L{s)  J,  .4'  =  L'{.'>'). 
Let  TT  =  .S0-S1S2...  be  a  path  in  A/  starting  at  .s  =  .s„.  Again,  since 
□  is  a  simulation  relation,  there  exists  a  path  tt'  =  •  ■''tarting 

at  s'  =  ,s[,  such  that  for  all  i.  .s,  C  s'.  Since  tln’re  exists  a  sinnilation 
reflation  (C)  relating  each  .S;  nd  .s(,  .s,  ■<  .sj.  Hence  ;<  .satisfies  the 
(•(uiditioiis  for  a  simulation  r«'lation. 

If  C  is  any  simulation  relation  for  which  s  C  s',  then  by  definition 
■s  .s'.  Hence  IZ  C  □ 
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To  show  that  is  a  preorder  (theorem  3.2),  we  just  argue  that  it  is 
transitive  (reflexivity  is  obvious). 

Proof  Suppose  M  ■<  M'  and  A/'  -<  M" .  Obviously,  the  condition 
A  C  A"  holds.  Define  C  as  the  relational  product  of  the  two  simulation 
relations: 

C  =  {(s,s")|3s'[sX.'As'^s"]}. 

We  first  show  that  C  is  a  simulation  relation. 

Suppose  s  C  s" .  Let  s'  be  a  state  such  that  s  :<  s'  and  s'  ■<  s" .  Since 
is  a  simulation  relation,  L'(s')  ],  A"  —  L"{s").  Similarly,  L{s)  ],  A'  = 
L'[s'),  so  L{s)  [  A"  =  L"{s").  Let  tt  =  sosis^...  be  a  path  in  M 
starting  at  s  =  Sq.  There  must  exist  a  path  tt'  =  starting 

at  s'  —  Sq  such  that  for  all  i,  s,  <  s'.  For  this  path,  there  must  exist 
a  path  tt"  =  s'^s'^s'^. . .  starting  at  s"  =  Sq  such  that  for  all  i,  s'  ■;<  s". 
By  definition,  s;  C  s''  for  all  i,  i.e.,  ir  and  rr"  are  paths  from  s  and  s" 
related  by  C.  Thus,  C  is  a  simulation  relation. 

Now.  if  we  can  show  that  every  initial  state  of  \I  is  related  to  a 
corresponding  initial  state  of  M"  by  C,  then  we  are  done.  Let  s  6  /• 
Since  M  M' ,  there  is  some  s'  £  /'  such  that  s  ■<  s'.  Similarly,  since 
M'  ■<  M",  there  is  s"  €  I"  such  that  s'  ■<  s".  By  definition,  .s  □  s".  □ 

To  prove  that  ||  respects  •<,  we  first  prove  the  following  lemma.  It 
tells  us  that  paths  in  a  composition  correspond  to  paths  in  the  compo¬ 
nents. 

Lemma  3.1  (path  lemma)  Let  M"  =  M  ||  A/'.  The  following  condi¬ 
tions  are  equivalent. 

1.  tt"  =  (sq.  s„)(si ,  .s',  )(s2,  S2) . . .  is  a  path  in  A/". 

2.  TT  =  sq.s,  . . .  and  tt'  =  Sq.s',  . . .  are  |»ath.s  in  M  ami  A/'  respectively, 
and  (.s,,.s')  is  a  state  of  A7"  for  all  i. 

Proof  If  tt"  =  (s’o,  So)(.s, ,  .s',  )(.S2,  .S2) ...  is  a  path  in  A/",  then  obviously 
(.s,,  .s')  is  a  state  of  M"  for  each  i.  By  definition  of  composition,  we  must 
also  have  /i!(.s,,  .s.+i )  and  •'*Ui  )•  suppose  that  [P,Q)  is  a 

pair  in  the  acceptance  condition  of  A/.  Then  ((  P x  .S’')n.^'",  ((^  x  N')n.s"') 
is  a  pair  in  the  acceptance  condition  of  M" .  Since  tt"  is  a  path,  either 
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there  is  some  i  such  that  €  (f*  x  S')  n  S“  for  all  j  >  i,  or  there 

are  infinitely  many  i  such  that  €  (Q  x  S')  ft  S".  This  implies 

that  either  almost  all  of  the  s,  are  in  P,  or  infinitely  many  of  them  are 
in  Q.  Thus,  tt  is  a  path,  and  a  similar  argument  shows  that  ir'  is. 

Conversely,  if  x  and  v'  are  paths  in  M  and  M'  respectively,  then 
we  must  have  R(si,Si+i)  and  By  definition  of  composi¬ 

tion  and  the  fact  that  (si,s')  is  a  state  of  M"  for  all  i,  we  obtain 
/i:"((s.,sn,(5.+i,5'+,))  for  all  I.  Let  ((P  x  S')CS",{Q  x  5')  H  5")  be 
one  of  the  pairs  in  the  acceptance  condition  of  M"  (assume  without 
loss  of  generality  that  it  derives  from  {P,Q)  €  F).  Since  x  is  a  path 
in  M ,  either  infinitely  many  s,  are  in  Q,  or  almost  all  of  them  are  in  P. 
This  implies  that  either  infinitely  many  (sj,s')  are  in  {Q  x  S')  fl  S", 
or  almost  all  of  them  are  in  (P  x  5')  H  S".  Thus,  each  pair  in  the 
acceptance  condition  of  M"  is  satisfied,  so  x"  is  a  path  of  M".  □ 

We  now  prove  that  composition  respects  simulation. 

Proof  Assume  M  :<  M'.  Let  Mo  =  M  |)  M"  and  M,  =  M'  1)  A/". 
Define  C  to  be  the  relation 

{((s,s"),(s',s"))  I  {S,s")  €  50  A  (s',  s")  €  5,  A  s  X  s'}. 

Suppose  (s,  s")  C  (s',  s").  Let  a  be  a  state  component  of  M\.  If  a  G 
A',  then  Lo((s,s"),a)  =  L{s,a)  (since  A  D  A').  But  Lj ((s', s"), n)  = 
L'(s', rt)  =  L(s,a)  since  s  :<  s'.  If  a  6  A",  then  LQ({s,s"},a)  — 
L"{s",a),  and  Z,i  ((s',  s"),  a)  =  L"{s",a)  as  well.  In  both  cases,  the 
state  labelings  agree  on  a.  Now  let  Xq  =  (-Soi -So)!-*) . ■s',')(s2,  s'j)  ...  be  a 
path  in  Mo  from  (s,s")  =  (so,5o').  By  the  path  lemma,  we  can  project 
this  to  paths  x  from  s  in  M  and  x"  from  s"  in  A/".  Since  s  s',  there 
is  a  path  x'  =  s(,s',S2  .  .  .  from  s'  =  .sq  in  M'  such  that  s,  s'  for  each  i. 
Again  by  the  path  lemma,  tlie  paths  x'  and  x"  can  be  combined  into 
a  path  X]  =  (s(,,  .s(,')(.s', ,  s'i'jf.sfj,  s.") . . .  in  M}.  By  delinition,  correspond¬ 
ing  states  on  X(,  and  X|  are  relate*!  by  C,  and  henc*'  C  is  a  simulation 
relation. 

If  (s,.s")  6  A),  then  s  ^  /  and  s"  6  /"•  Since  A/  -<  A/'.  tluT*'  is  s*)me 
■s'  such  that  .s  -<  .s'  and  .s'  G  /'•  I'or  this  s'.  (.s,.s")  C  (s',  .s").  Hence 
(s',  s"),  and  every  initial  state  of  A/o  has  a  *-orres|H)niling 
initial  state  of  A/| .  Thus,  A/q  S:  M\.  □ 
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The  proof  that  M  M  \\  M  (theorem  3.4)  is  straightforward;  we 
just  observe  that  {  (s,(s,s))  |  s  €  5}  is  a  simulation  relation.  We  now 
consider  theorem  3.5  (the  observation  that  composing  M  with  T{B) 
for  B  C  A  leads  to  a  structure  isomorphic  to  A/). 

Proof  Let  s  €  S.  The  only  state  of  T(B)  that  has  a  compatible 
labeling  with  s  is  L{s)  ],  B.  Hence  the  mapping  <i>  defined  by  4>{s)  = 
(s,  L{s)  I  B)  is  a  bijection  between  states  of  M  and  states  of  A/  ||  T(B). 
Clearly  preserves  labelings.  Since  the  all  states  of  T(B)  are  initial 
and  all  pairs  of  states  have  a  transition  between  them,  <i>  also  preserves 
initial  states  and  transitions.  Similarly,  F  is  mapped  to  a  corresponding 
acceptance  condition  in  th^  composition.  □ 

The  remaining  task  is  to  prove  the  correctness  of  the  tableau  con¬ 
struction.  Earlier  we  mentioned  that  the  construction  as  given  earlier 
does  not  handle  certain  degenerate  cases,  so  we  first  discuss  these  cases 
and  the  changes  that  need  to  be  made.  Consider  the  formula  A(/a/se  V 
false)  {AG false).  If  M  is  a  structure  where  there  is  no  initial  state  that 
is  the  start  of  a  path,  then  M  actually  satisfies  this  formula.  However, 
if  we  construct  the  tableau  according  to  the  earlier  definition,  we  find 
that  it  has  no  initial  states.  This  is  because  ^{A{false  V  false))  = 
^{false)  n  . . .,  and  ^{false)  is  the  empty  set.  Since  the  tableau  has  no 
initial  states,  it  may  not  be  able  to  simulate  M.  The  solution  to  han¬ 
dling  caises  such  as  this  is  to  recognize  that  formulas  such  as  A{ip  U  \) 
and  A{tp  V  x)  will  be  true  for  states  that  are  the  start  of  no  path, 
regardless  of  0  and  x-  To  take  this  into  account,  we  extend  the  set  of 
elementary  formulas.  When  ip  has  a  subformula  involving  U  or  V,  we 
add  a  special  formula  AX  false  to  the  elementary  formulas  of  ip.  Then, 
we  alter  the  mapping  <I>  so  that  <1>(A(V’  V  x))  is 

(<D(  ,Y)  n  U  <I>(AX  A(v>  V  x)))  u  <D(AX  fahe) 
and  4>(  A(0  U  \))  is 

(‘1>(y)  U  mii>)  n  «1>(AX  A{iP  U  X')))  U  ^AX  false). 

With  these  changes,  the  construction  is  correct  in  ail  cases,  as  we  now 
show. 

First,  we  lemonstrate  that  if  M  :<  T(p),  then  M  \=  p.  'Fliis  will 
be  done  in  two  steps: 
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1.  Prove  that  if  M  M'  and  if  M'  satisfies  a  formula,  then  M 
satisfies  the  formula  as  well. 

2.  Prove  that  T{ip)  tp. 

Then  we  will  have  M  :<  T{p),  T{p)  ^  p,  and  hence  M  ^  p. 

Lemma  3.2  If  Af  M'  and  is  a  formula  with  comp(p)  C  A',  then 
M'  ^  p  implies  M  p. 

Proof  The  proof  of  this  theorem  is  very  similar  in  spirit  to  that  of 
theorem  2.2.  Clearly  it  is  enough  to  show  that  if  s'  [=  v?  and  s  ■<  s', 
then  s  ^  We  proceed  by  induction  on  the  structure  of  formulas. 

1.  For  atomic  formulas  and  their  negations,  the  result  is  obvious. 
For  conjunctions  and  disjunctions,  it  follows  immediately  from 
the  induction  hypothesis. 

2.  Consider  a  formula  of  the  form  A(v?U^).  Let  tt  =  so5iS2  ...  be  a 
path  from  s  =  sq;  we  want  to  show  that  this  path  satisfies  p\J  ip. 
Since  s  ■<  s',  there  is  a  path  x'  =  s^s'iSj . . .  from  s'  =  Sq  that 
corresponds  to  x.  For  each  i,  s,  :<  s'j.  Hence  by  the  induction 
hypothesis,  s\\=  p  implies  s,  [=  p.,  and  similarly  for  ip.  If  x  does 
not  satisfy  plj  ip,  then  this  implies  that  x'  does  not  satisfy  p\J  ip 
either.  Hence  s'  ^  A(v^  U  ip),  a  contradiction.  Thus  we  conclude 
that  s  ^  A{p  U  Ip). 

3.  The  cases  for  AX  p  and  A(ifP  V  ip)  are  similar  to  the  above.  □ 

Lemma  3.3  Let  .s  be  a  state  of  T{p).  For  all  subfonnulas  ip  of  p,  if 
s  6  ‘&(»/^),  then  s  j=  Ip.  Hence  T{p)  |=  p. 

Proof  Let  M  =  T{p)  and  .s  =  (/,  E);  we  proceed  by  induction  on  the 
structure  of  the  subformiila. 

1.  For  true,  we  have  that  <^{true)  contains  every  state,  so  s  € 
*P{true)  iff  s  j=  true. 
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2.  For  a  subformula  of  the  form  a  =  d,  we  have 

d>{a  =  d)  =  {{f,E)\f{a)  =  d}. 

s  ^  a  =  iff  L{s,a)  =  d,  and  from  the  definition  of  T[^),  we 
have  L{{f,  E),a)  =  f{a).  Hence  s  £  <^(0  =  d)  iff  s  (=  a  =  d. 

3.  For  the  negation  of  an  atomic  formula,  just  note  that  the  above 

two  cases  are  iff,  and  that  =  S  —  ^(s). 

4.  A  \)  =  n  4>(x)-  If  5  6  A  x),  then  by  the  induction 
hypothesis,  s  f=  and  s  ^  X-  Hence  s  |=  ip  A  x-  Similarly,  if 
5  €  ^{rp  V  x)i  then  s  ^  V’  V  x- 

5.  For  subformulas  of  the  form  AXt/>,  we  have  s  G  <I>(AX0)  iff 
Wip  G  E.  In  other  words,  gives  exactly  those  states  la¬ 
beled  with  the  elementary  subformula  AX  ip.  Suppose  s  =  sq  6 
4>(AX0).  By  definition  of  the  tableau,  if  R{so,si),  then  .sj  G 
df{ip).  Applying  the  induction  hypothesis,  we  find  sj  ip.  Since 
every  successor  of  sq  must  satisfy  ip,  sq  |=  AX  ip. 

For  a  subformula  of  the  form  A{ip  V  x),  '^(A(V»  V  x))  is 

(<I>(X)  n  miP)  U  <&(AX  A(V>  V  x))))  U  <^{AX  false). 

If  s  G  ^{AX false),  then  there  are  no  paths  starting  at  s.  so  it 
satisfies  A{ip  V  x)-  Otherwise,  s  G  *I*(x)>  so  by  the  induction 
hypothesis,  s  (=  X-  Also,  s  G  ^{d>)  U  ^{AXA{ip  V  x))-  If  s  G 
^{ip),  then  s  \=  Ip  hy  the  induction  hypothesis.  If  instead,  s  = 
So  G  4>(  AX  A{ipV x))^  then  by  definitions  of  <l>  and  R,  if  R{so,  si ), 
then  Si  G  ‘I>(  A(t/>V x)).  Thus,  in  this  case,  all  successors  of  s  must 
also  be  in  ^{A{ipV  x))-  ^  =  S0S1S2...  be  a  path  starting 

at  s  =  So-  Suppose  s,  ^  ip  for  all  i  <  j.  By  the  above,  we  must 
have  Sj  \=  x-  Hence  V’ V  is  true  along  the  path,  and  since  tt  was 
arbitrary,  s  [=  A{ip'V  x)- 

The  argument  for  subformulas  of  the  form  A(i/’U  x)  is  similar  to 
that  for  A{ip  V  x)- 


Now  if  s  is  an  initial  state  of  the  tableau,  then  by  definition  s  G 
Hence  s  |=  <,?,  and  so  T(y?)  ^  □ 
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This  concludes  one  direction  of  the  proof.  Now  we  want  to  prove 
that  if  M'  ^  (,?,  then  M'  ■<  T{^p).  This  will  be  done  by  constructing  an 
explicit  simulation  relation  between  M‘  and  T{(p).  The  idea  will  be  to 
take  a  state  s'  of  M',  look  at  its  labeling  and  the  elementary  formulas 
that  it  satisfies,  and  use  this  to  construct  a  unique  state  of  T(i^)  that 
can  simulate  s'.  First,  we  define  what  will  be  the  simulation  relation 
and  prove  a  sort  of  analog  to  the  converse  of  lemma  3.3. 

Lemma  3.4  Let  M  =  T(v>),  and  let  M'  be  a  structure  with  A'  D  A. 
Define  Q  on  S'  x  S  by  s'  Q  {f,  E)  iff  the  following  conditions  hold; 

1.  = 

2.  For  every  AX  i/»  €  6/(9),  AX  €  £"  iff  s'  ^  AX  ip. 

Then  s'  C  s  implies  that  for  every  subformula  or  elementary  formula  tp 
of  <p,  s'  ^  tp  implies  s  6  ^{'fp)- 

Proof  By  induction  on  the  structure  of  formulas.  In  this  proof,  the 
base  cases  are  the  atomic  subformulas  and  the  elementary  subformulas. 
In  all  cases,  assume  s'  C  s  =  (/,  E). 

1.  *^"ir  true,  s'  [=  true  iff  s  G  ^(true). 

2.  For  a  subformula  a  =  d,  we  get  that  s'  |=  a  =  d  iff  L'{s',a)  =  d 
iff  L((/,  E),  a)  =  d  iff  /(a)  =  d  iff  (/,  B)  €  «I>(a  =  d). 

3.  For  a  negated  atomic  subformula,  the  result  follows  from  the  facts 
that  ^{-'ip)  —  S  —  ^(ip)  and  that  the  above  two  cases  are  iffs. 

4.  If  s'  satisfies  an  elementary  formula  AX  ip,  then  by  definition 
of  C,  AX  Ip  €  E.  But  (/,  E)  G  <1>(  AX  ip)  iff  AX  ip  G  E. 

5.  For  a  subformula  such  as  ip  Ay,  we  get  that  .s'  must  satisfy  ip  and  \ . 

By  the  induction  hypothesis,  .s  G  and  .s  G  Hence 

s  G  n  *I>(x)i  and  s  G  ^(ip  A  x).  Subformulas  of  the  form 

ipy  Ip  are  handled  in  a  similar  mannei. 
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6.  Subformulas  of  the  form  AXV’  are  elementary  formulas  and  were 
dealt  with  above.  Consider  a  subformula  of  the  form  A(t/)Vx)-  If 
s'  is  not  the  start  of  some  path,  then  s'  |=  AX  false,  so  AX  false  € 
E,  and  hence  s  G  $(A(0  V  x))-  Assume  s'  is  the  start  of  a 
path.  If  s'  ^  A(V»  V  x),  then  we  first  have  that  s'  [=  x-  By 
the  induction  hypothesis,  s  €  ^(x)-  Also,  either  s'  [=  xl>,  or 
every  successor  of  s'  must  satisfy  A(0  V  x)-  In  the  former  case, 
s  €  ^(0).  In  the  latter,  s'  must  satisfy  AX  A(t/>  V  x).  This  is  an 
elementary  subformula,  and  hence  by  the  induction  hypothesis, 
s  G  4>(AX  A(V'  V  x})-  From  these  two  cases  we  can  conclude 
s  G  ^>(0)  U  AX  A(^  V  x)).  All  together,  we  have 

s  G  <I>(x)  n  (4>(V»)  U  <I>(  AX  A{^  V  x))), 
and  so  s  G  4>(  A(t/)  V  x))- 

Consider  a  subformula  of  the  form  A(t/>  U  x).  If  s'  is  not  the 
start  of  some  path,  then  as  above  we  have  s'  G  4>(A(0  U  x))- 
Otherwise,  either  s'  |=  x.  or  s'  t/;  and  every  successor  of  s' 
satisfies  A(t/>Ux).  In  the  latter  ccise  s'  ^  AXA(t/^Ux).  Applying 
the  induction  hypothesis,  we  find 

s  G  ^>(x)  U  ($(v>)  n  «I>(  AX  A(t/>  u  x))). 

Hence  s  G  <I>(A(i/>  U  x))-  CD 

Now,  using  th.3  lesult,  we  have: 

Lemma  3.5  The  relation  C  given  above  is  a  simulation  relation. 

Proof  Assume  s'  C  s  =  if,E).  By  definition,  L'{s')  [  A  =  f  =  L(s). 
Suppose  now  that  tt'  =  -Sqs'jSj  ...  is  a  path  from  s'  =  Sq  in  A/'.  We  will 
construct  a  path  tt  from  s  =  sq  in  A/  that  corresponds  to  tt'.  Assume 
that  we  have  constructed  states  up  to  s,  so  far,  and  that  we  know 
.s'  C  .s,.  Let  AX  00,  AX0m-i  be  the  elementary  formulas  that 
•s'  satisfies.  Then  s.^,  mu.st  satisfy  ii>o,  ...,  Now  ob.serve  that 

each  state  of  A/'  is  relate^'  t'>  a  (uniipie)  state  of  M  by  C.  Let  .s,^, 
be  the  state  related  to  .s^^,  in  this  maimer.  By  the  previous  lemma. 
s,+i  G  4>(0o),  5.+,  G  4>(0m_i).  Since  s'  C  s^  =  (/,,£,),  we  know 
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that  the  elementary  formulas  AX  V’j  are  the  only  elementary  formulas 
for  which  AXV>j  €  Ei.  Then  by  the  definition  of  T((p},  /?(sj,s,+i). 
Thus,  we  have  found  that  extends  the  sequence  and  for  which 
C  5,+i.  Now  we  just  have  to  show  that  this  sequence  satisfies  the 
acceptance  conditions. 

Assume  that  it  does  not.  Then,  looking  at  the  acceptance  con¬ 
ditions  for  the  tableau,  we  see  that  there  must  be  some  elementary 
formula  AX  A(t/)  U  x)  and  some  i  such  that  for  all  j  >  i: 

3,^(S-<P(AXA(t/;Ux)))U^ix). 

Then  Sj  =  (fj,Ej)  is  not  in  either  part  of  the  union.  Now  s_,  ^  5  — 
<I>(AXA(V^  U  x))  implies  that  AXA(0U  x)  €  Ej.  By  the  definition 
of  C,  we  find  that  s'  |=  AX  A(i/)  U  x)-  Further,  since  s_,  ^  <^(x)i 
then  by  the  previous  lemma,  we  must  have  s'  ^  X-  But  then  we  have 
s'  f=  AX  A(0  U  x),  and  for  all  j  >  i,  s'  ^  x-  This  implies  that  tt' 
must  not  be  a  path,  a  contradiction.  □ 

Putting  the  previous  two  lemmas  together,  we  obtain  the  desired 
result.  If  M'  ^  <p,  then  by  definition,  every  initial  state  s'  of  M' 
satisfies  <^.  Recall  the  simulation  relation  C  defined  above  pairs  every 
such  s'  with  a  unique  state  s  of  the  tableau.  Now  lemma  3.4  implies 
that  s  is  in  and  hence  by  the  definition  of  the  tableau,  .>(  is  an 

initial  state.  .Since  C  is  a  simulation  relation,  we  conclude  that  .s'  can 
be  simulated  by  an  initial  state  of  the  tableau.  Hence  A7  ;<  T{ip). 
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Chapter  4 
Abstraction 


So  far,  all  of  the  methods  we  have  for  checking  (and  [=)  are  ei¬ 
ther  direct  algorithms  (e.g.,  model  checking)  or  techniques  based  on 
properties  of  ■<  and  ||  (e.g.,  assume-guarantee  proofs).  In  this  section, 
we  consider  methods  based  on  abstraction.  When  performing  abstrac¬ 
tions,  we  lose  information  about  the  exact  behavior  of  the  system  under 
consideration.  As  a  result,  there  will  be  some  properties  whose  truth 
cannot  be  determined  by  looking  only  at  the  abstracted  system.  It  is 
important  that  the  verification  methodology  not  lead  to  false  positive 
results.  That  is,  if  we  find  that  some  property  is  true  of  the  abstracted 
system,  we  must  have  a  guarantee  that  the  property  really  does  hold 
for  the  actual  system.  A  verification  methodology  with  this  property 
is  said  to  be  conservative.  Note  that  we  have  no  recpiirements  about 
what  happens  in  the  actual  system  if  the  property  is  not  Irtie  in  the 
abstracted  system. 

Our  main  goal  is  to  be  able  to  verify  efficiently  systems  that  ma¬ 
nipulate  data  in  nontrivial  ways.  For  such  systems,  we  will  want  to 
collapse  the  possible  data  vahies  down  to  a  small  set  of  abstract  ele¬ 
ments.  There  are  two  main  reasons  why  abstraction  is  useful  for  veri¬ 
fying  systems  that  manipulate  data.  First,  the  propcrtif;s  that  we  are 
interested  in  proving  can  often  be  expressed  in  terms  of  abstract  values, 
i.e.,  we  can  write  accurate  specifications  at  the  abstract  level.  Second, 
real  systems  generally  manipulate  data  in  well-structured  ways.  As  a 
result,  we  can  tell  something  about  the  abstract  value  representing  the 
result  of  an  operation  based  on  the  abstract  values  of  the  inputs.  This 
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is  important  if  we  are  going  to  make  a  model  of  our  system  that  is  not 
too  conservative. 


4.1  Conservative  Connections 

When  using  abstraction  for  verification,  we  will  be  working  at  two  lev¬ 
els:  a  concrete  one  and  an  abstract  one.  Structures  at  the  abstract 
level  will  be  viewed  as  appro.ximations  to  structures  at  the  concrete 
level.  In  order  to  tie  the  levels  together,  we  introduce  a  map  that  takes 
a  structure  at  the  concrete  level  and  produces  an  abstract-level  view  of 
it.  Another  map  will  take  a  structure  at  the  abstract  level  and  give  us 
a  concrete- level  structure  that  represents  the  “most  general”  behavior 
corresponding  to  the  abstract  structure.  The  goal  of  >ising  abstraction 
is  to  check  a  specification  at  the  abstract  level,  and  then  to  infer  a  sim¬ 
ilar  relationship  at  the  concrete  level.  Thus,  we  are  led  to  the  following 
definition. 

Definition  4.1  Let  be  a  function  mapping  structures  over  .\  to 
structures  over  A,  and  let  'k/  be  a  function  mapping  structures  over  A 
to  structures  over  A.  We  say  that  '1'/)  is  a  conservative  connection 
(between  structures  over  A  and  A)  when  for  all  structures  M  and  M 
(over  ,4  and  .4  respectively),  4/  implies  M  ■<  4',(47). 

The  notion  above  is  a  kind  of  hyl>rid  of  the  conservative'  appro.xi- 
mation  of  Burch  [21  j  and  the  Galois  connections  u.sed  by  Bensah-m 
al.  [6],  and  alst)  Inus  some  relation  to  Kurshan's  automata  homonuer- 
phisms  [62].  (Actually,  we  can  impose  a  lattice  structure  on  structnri's: 
meet  is  composition,  join  is  a  kind  of  disjoint  union,  and  top  and  bot¬ 
tom  are  the  structures  T  and  J_  of  example  ;1.8.  Then  the  definition 
above  can  actually  be  viewed  as  a  Galois  connection  betweeji  the  lattice 
of  structures  over  /I  an<l  the  lattice  of  structures  over  .4.) 

The  motivation  behind  using  a  con.servative  connection  is  that  ver¬ 
ifying  'ku(M)  <  M  will  be  easier  than  verifying  M  ■<  directly. 

The  price  we  pay  for  the  simplification  is  that  we  may  obtain  false 
negative  results:  it  may  be  that  A/  ■<  '^/(A/)  while  'k„(A/)  2^  M.  Tin- 
condition  in  the  definition  of  a  conservative  connection  can  be  expressed 
pictorially  as  in  figure  4.1. 
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'I'u(M) 


M 


'I'u 


AI 


:  implies 

Y 

X  - 


Figure  4.1:  A  conservative  connection 

Note  that,  in  contrast  to  the  conservative  approximations  of  Burch, 
the  mapping  'F;  h<is  abstract  structures  as  its  domain  rather  than  its 
range.  This  is  for  two  reasons:  first,  it  is  often  most  convenient  to  give 
the  specification  at  an  abstract  level;  vyj  tells  what  the  specification 
means  at  the  level  of  the  implementation.  Second,  in  our  framework  it 
will  generally  mathematically  cleaner  to  give  a  single  “most  general” 
structure  represented  by  a  specification  than  to  give  the  specification 
corresponding  to  an  arbitrary  structure.  An  implementation  might 
actually  provide  a  kind  of  lower  bound  mapping  from  structures  over  A 
to  structures  over  A.  Applying  this  mapping  to  M  and  then  applying 
'I*;  to  the  result  should  give  something  smaller  than  M  under  Also, 
an  implementation  may  not  actually  provide  a  way  to  compute  if 
instead  it  produces  something  larger  (un<ler  ;^),  this  is  still  su/firi<’nt 
for  verification  purposes. 

Example  4.1  Let  A  =  A,  and  let  id  be  the  identity  mapping  between 
structures  over  /I.  Then  (id,  id)  is  conservativ<'  connection.  □ 

Recall  that  we  can  have  M  -<  M'  when  A'  C  A.  We  could  have  ac- 
tually  defined  so  that  it  only  held  between  structures  with  the  same 
sets  of  visible  state  components.  Then  we  would  use  a  conservative 
connection  to  hide  state  components.  As  another  example  of  a  con¬ 
servative  connection,  we  now  consider  how  this  would  be  done,  hirst 
though,  we  will  need  a  hiding  operation  for  structures.  We  choose  one 
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that  is  analogous  to  our  hiding  operation  for  Moore  machines  (defini¬ 
tion  2.14). 

Definition  4.2  Let  M  be  a  structure  and  >4  be  a  set  of  state  com¬ 
ponents.  The  result  of  restricting  M  to  A  (denoted  M  [  A)  is  the 
structure  M  defined  by; 

1.  S  =  S. 

2.  1=1. 

3.  R  =  R. 

4.  L  is  defined  by  L{s)  =  L{s)  J,  A. 

5.  F=  F. 

Example  4.2  Let  A  C  A,  and  let  'l'„(;V/)  =  M  J.  .4.  .-Mso.  lak<* 
4'/(.V/)  =  M  II  T(/l  —  ,4).  Then  is  a  conservative  connec¬ 

tion.  To  see  this,  assume  'l'u(A/)  ■;<  M.  VVe  note  that  M  <  'l'„(,\/).  so 
Al  ■<  A/.  Composing  both  sides  with  T{A  —  .4)  gives 

A/  II  T(/l  -  .4)  ^  .\7  II  T(/l  -  A). 

Now  by  theorem  3.5,  A/  ||  T(A  —  /I)  is  isomorphic  to  .V/.  Also,  llu' 
right  side  of  the  above  relation  is  'P/(A/),  so  we  have  M  'I'd-'/)  ,  as 
rerpiired.  □ 

Example  4.3  The  composition  of  conservative  connections  is  also  a 
conservative  connection.  Snppo.se  that  ('I'ui'i'/)  is  ^  conservative  con¬ 
nection  between  structures  over  A  and  .4  and  ('l'(^,'l'J)  is  a  conservative 
connection  between  structures  over  /I  and  .4.  Then  ('!'(,  o  4'/  o 
is  a  conservative  connection  between  A  ami  A.  □ 

Example  4.4  Suppose  ('!>„,'!>/)  is  a  conservative  connection  between 

structures  over  and  .4.  ^f  'I'',  ami  'I'J  are  functions  with 
•I'ulA/)  and  <  4'J(A/),  then  ('!'„,  4'J)  is  also  a  conservative  con¬ 
nection.  □ 
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The  mappings  in  conservative  connections  often  have  other  nice 
properties.  First,  they  are  commonly  monotonic  with  respect  to  the 
preorder  :<.  So,  for  example,  applying  to  M  and  to  M'  with  M  ;<  M' 
gives  4fu(/V/)  ■<  'l'u(M').  Second,  distributing  the  mapping  'I'u  over  a 
composition  gives  something  larger  under  This  latter  property  is  es¬ 
pecially  important:  in  order  to  use  conservative  connections  effectively, 
we  usually  do  not  want  to  deal  explicitly  with  M  when  producing  the 
abstract  version  of  M.  The  property  says  that  we  can  approximate  the 
parts  of  a  composition  before  composing  and  still  remain  conservative. 

Example  4.5  Recall  the  earlier  example  of  collapsing  states  with  iden¬ 
tical  labelings  (example  3.10).  (collapse,  collapse)  is  a  conservative  con¬ 
nection  between  structures  over  A  and  A.  Also,  collapse  is  monotonic, 
and  it  can  be  distributed  over  compositions  (we  prove  this  later). 

Note  that  applying  collapse  to  a  structure  in  which  each  state  has 
a  unique  labeling  function  gives  a  structure  isomorphic  to  the  original 
one.  When  'I'i('I'u(  A/))  ^  A/,  then  we  say  that  the  conservative  connec¬ 
tion  A/  is  exact  for  Af.  Thus,  (collapse,  collapse)  is  exact  for  structures 
in  which  each  state  ha.s  a  uni(|ue  labeling  function.  □ 

We  now  consider  conservative  approximations  that  abstract  the  vis¬ 
ible  state  components  of  a  structure.  The  abstraction  will  be  given  in 
terms  of  a  set  of  mappings  on  state  component  vahjes.  That  is,  for  each 
concrete  state  component  a,  we  will  have  a  correspornling  abstract  state 
component  d.  Then  we  will  provide  a  mapping  betw«'en  D„  and  D~  that 
will  be  used  to  give  an  abstract-level  view  of  the  value  of  a.  If  we  simply 
apply  this  mapping  to  the  state  labelings  of  a  concret(>- level  structure, 
that  will  give  us  the  desired  abstract-level  structure.  This  is  the  analog 
of  an  automata  homomorphism  induced  by  a  boolean  algebra  homo¬ 
morphism  in  the  work  of  Kurshan  [62]. 

Definition  4.3  Let  A  =  {uo, . . . ,  Un-i },  A  =  {do,  •  •  • .  u^i }.  and  sup¬ 
pose  ho,  ....  hn-\  are  surjections  with  hi.  D„,  — »  D~.  Let  h.  be  the 
function  mapping  labeling  functions  over  A  to  labeling  fiinctiotis  over  A 
defined  by 

(k(f))(a,)  =  h,(f(a,)). 

Let  M  be  a  structure  over  A.  Define  a/>Su(A/)  (with  respect  to  h) 
to  be  the  following  structure  M: 
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rjt) 

1.  5  =  s. 

2.  1  =  1. 

3.  R=  R. 

4.  i{s)  =  kiL(s)). 

5.  F=  F. 

This  gives  us  a  mapping  from  concrete- level  structures  to  abstract- 
level  structures.  Now  we  want  to  protluce  a  conservative  connection, 
and  so  far  we  have  the  situation  shown  in  figure  4.2.  We  need  to  define 
abs'i  taking  us  from  the  abstract  level  to  the  concrete  level. 


Figure  1.2:  'Situation  after  defining  a/>.s,. 

Suppose  that  M  is  a  concrete- level  structure  and  that  (.su,.si)  is  a 
transition  of  iV/.  Also  suppose  that  there  is  one  visible  state  compo¬ 
nent  a  that  can  take  on  the  values  {0,  1,2,3}.  We  will  assume  that  the 
labeling  for  .Sq  has  a  =  0  and  the  labeling  for  .S]  has  a  =  1.  Let  h  maj) 
0  and  2  to  f'.ven  and  map  1  and  3  to  odd.  When  we  aj)ply  to  .\l . 

we  get  states  so  and  sj  with  labelings  eveii  and  odd,  respectively,  and 
a  transition  between  them.  Now  suppose  that  we  have  a  structure  .M 
that  can  simulate  ahs^{M).  There  should  be  some  transition  (So, 57) 
that  can  simulate  the  (.so,s,)  transition  of  abs„(.\l).  This  implies  that 
L(5o)  should  be  even  and  jL(Si)  should  be  odd.  Now  we  want  to  define  a 
mapping  abs/  from  abstract  to  concrete  structures.  Because  simulation 
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at  the  abstract  level  should  imply  simulation  at  the  concrete  level,  we 
will  want  absi{M)  to  be  able  to  simulate  M.  It  is  natural  to  use  the 
(So,  ST)  transition  to  construct  a  transition  of  abs{(M)  that  can  simulate 
the  (sot^i)  transition  of  M.  However,  since  h  is  generally  not  a  bijec- 
tion,  given  just  the  labelings  of  S^  and  ST,  we  cannot  tell  exactly  what 
labelings  sq  and  Si  have.  Thus,  we  will  expand  each  state  of  M  into  a 
class  of  sta-  =s,  one  for  each  compatible  labeling.  This  will  give  us  the 
state  space  of  absi(M).  In  this  example,  we  expand  So  into  two  states, 
(So,0)  and  (So,  2)  (where  0  and  2  denote  the  labeling  functions  mapping 
a  to  0  and  2).  Similarly,  Sj  expands  into  (ST,  1)  and  (ST,3).  Since  so  has 
the  labeling  a  =  0,  we  choose  (So,0)  to  simulate  it,  and  likewise  (ST,  1) 
will  simulate  Si.  Now  we  just  include  all  transitions  from  states  in  the 
class  for  So  to  states  in  the  class  for  ST-  The  ((ST, 0),(ST,  1))  transition 
will  simulate  the  (so,5i)  transition  of  M.  We  now  define  ahs/  formally. 

Definition  4.4  Let  A/  be  a  structure  over  A.  Define  absi{M)  (with 
respect  to  h)  to  be  the  structure  M  given  by: 

1.  .S’  =  {  (S, /)  I  S  €  5  A  /  e  labelings{A)  A  Z(S)  =  h{f)  }. 

2.  /={(S./)|S€/}. 

2.  /?((.S(). /o),  (-si , /i ))  iff  ^(.so,.S|). 

4.  L{{rs,f))  =  f. 

5.  Each  (P.Q)  ^  F  is  transformed  into  a  rorrespoiuling  pair 

({(5,/)|SG  F}.|(S,/)|S€g}) 


in  F. 

Example  4.6  Figure  4.3  shows  the  structure  A/  corresponding  to  a 
traffic  light.  The  structure  has  one  state  component  c  (for  ‘‘color’) 
which  can  take  on  one  of  the  values  {red,  yellow,  green).  The  labels  in 
the  figure  indicate  the  value  of  c  in  the  different  states.  We  abbreviate 
red  by  r,  geiltw  by  y,  and  green  by  g  in  the  figure.  The  structure 
also  has  an  acceptance  condition  requiring  that  we  not  loop  forever  in 
the  state  where  c  =  red.  The  abstract  state  component  corresponding 
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GF(c  7^  red) 


Figure  4.3;  A  structure  representing  a  traffic  light 

to  c  will  be  denoted  by  c.  It  will  range  over  the  values  {stop,  go},  and 
we  will  use  the  abstraction  defined  by  h(red)  =  stop  and  h{yellow)  = 
h{grctn)  =  go.  With  this  mapping,  abs„(;V/)  is  shown  in  figure  1.1.  In 
the  figure,  .s  indicates  .stop  and  g  denotes  go.  The  acceptance  l  oiulitiuii 
carries  over  as  well:  infinitely  often,  we  must  visit  one  of  the  bottom 
two  states  (where  c  =  go).  On  the  other  hand,  if  we  let  M  be  the 
structure  in  figure  4.4,  then  we  can  also  apply  abs/  to  M .  This  process 
is  shown  in  figure  4.5.  In  the  figure,  the  dashed  arrows  indicate  the 
mapping  between  abstract- level  states  and  concrete- level  states.  The 
lower  two  abstract  states  each  map  to  a  pair  of  concrete  states.  Note 
that  the  resulting  structure  a/).s/(abs„(  A/ ))  can  sinudate  M .  as  implied 
by  the  definition  of  a  conservative  connection.  □ 

Theorem  4.1  (a/js„,absj)  is  a  conservative  connection. 

The  proof  (T  this  is  defern'd;  hen-,  we  just  give  the  intuition.  Sup¬ 
pose  we  know  that  abs„(A/)  ■<  M.  Given  a  state  s  of  M ,  we  lift  it  to 
the  abstract  level  using  abs^.  Now  at  this  level,  s  can  be  simulated  by 
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GF(c  ^  stop) 


Figure  4.4;  The  result  of  applying  ahsu  to  the  structure  in  figure  4.3 

some  state  s  of  Af .  However,  each  state  5  of  M  can  be  viewed  tis  a  set 
of  states  at  the  concrete  level,  one  for  each  possible  concrete  labeling 
function  /  satisfying  L{s)  =  hi/)-  Thus,  absi(M)  will  have  a  state 
(  s,  L(s)),  and  this  state  will  be  able  to  simulate  s. 

It  is  easy  to  see  that  absu  and  ahsi  are  Ijoth  monolonic  with  respect 
to  ■<.  They  can  al.so  be  pushed  over  composition,  for  ahs^,  every 
state  of  absu(  A/  ||  A/')  is  also  a  state  (.s,s')  of  A/  1|  A/'.  This  means  that 
s  and  s'  are  states  in  abs„(  A/)  and  abs„(A/'),  respectively,  anti  they  have 
compatible  labelings.  Hence  (s.s')  is  also  a  state  of  a/AS'u(.l/)((abs„(A/'), 
and  this  state  can  simulate  (■s,.s')  in  a/>Su(A/  |]  M').  For  abs;,  a  state 
(s,  s')  in  A/  11  M'  gives  rise  to  states  ((.s,^'),/)  in  nhs^I  H  M').  Now 
(.s,/)  and  (s',/)  must  be  states  of  ab.S((A/)  and  ahsi(M')  respectively, 
a/id  so  ((.s,  /),  (5',/))  is  a  state  of  their  composition.  This  state  can  be 
seen  to  simulate  (s,  s'). 

.Note  abs,/.V/)  is  essentially  like  A/,  but  with  the  labeling  function 
changed.  In  order  to  reduce  the  complexity  of  verification,  we  will 
generally  apply  collapse  immediately  after  a/>s„.  However,  constructing 
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GF(c  ^  stop)  GF(c  ^  rc(l) 


Figure  4.5:  The  result  of  applying  ah.s/  to  the  structure  in  ligure  4.1 
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M  in  order  to  compute  abs^(Af )  and  then  coiiapse{abs„(M))  is  often 
not  practical.  We  address  this  problem  in  the  next  section. 


4.2  Computing  Abstractions 

We  use  two  methods  to  avoid  having  to  examine  M.  The  first  is  to  use 
the  fact  that  M  is  often  given  as  a  composition.  By  pushing  the  approx¬ 
imation  computation  over  the  composition,  we  do  not  have  to  construct 
the  product  state  space  of  the  parts.  The  other  technique  relies  on  the 
fact  that  we  usually  have  an  implicit  representation  for  A/.  For  exam¬ 
ple,  suppose  M  is  given  by  a  program  in  a  finite-state  language.  By 
using  a  nonstandard  semantics  for  the  language,  we  can  directly  com¬ 
pile  an  approximation  to  coUapse{a.bsu(M)).  This  approach  is  similar 
to  the  use  of  abstract  interpretation  in  program  analysis  [40,  41]  and 
was  first  applied  to  verification  by  Clarke,  Grumberg,  and  Long  [30]. 
We  now  illustrate  the  details  of  this  process  using  a  simple  finite  state 
language  which  we  call  Cq.  Programs  in  Co  can  he  used  to  describe 
structures,  but  we  emphasize  that  Co  is  intended  only  for  illustration 
purposes:  it  does  not  contain  facilities  that  would  be  needed  in  a  prac¬ 
tical  language.  After  discussing  the  syntax  and  intuitive  meanings  of 
Co  programs,  we  will  give  two  semantics:  a  standard  one.  and  one  that 
can  be  used  to  produce  an  approximation  to  the  abstracted  structure. 

Definition  4.5  The  texlxL’J  cla.sses  for  the  language  Co  are  defined  as 
follows: 

1.  Variables:  vq,  Uj,  ... 

‘2.  Functions  and  constants:  /o,  /j,  ... 

3.  Expressions;  an  expression  e  is  cither  a  variable  reference  e,  or  a 
function  invocation  /,(eo, . . . ,  e„_i ). 

4.  Statements:  a  statement  s  has  one  of  the  following  forms: 

(a)  an  assignment  statement  e,  ;=  e; 

(b)  a  conditional  statement  Cq  — +  5o  |  . . .  [  e„_i  — >  or 
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(c)  a  sequential  composition  soi  ■  ■  • ;  -Sn-i;  or 

(d)  a  parallel  composition  so  ||  •  •  •  ||  Sn-i. 

For  conditionals,  we  require  that  the  union  of  the  guards  be  to¬ 
tal  (their  disjunction  must  be  a  tautology),  so  one  alternative 
is  always  selected.  In  the  composition,  we  require  that  different 
Si  do  not  change  the  same  variable,  as  this  may  lead  to  con¬ 
flicts.  To  avoid  this,  we  define  a  function  changes  that  gives  the 
set  of  variables  changed  by  a  statement.  Then  we  must  have 
ciianges(si)  fl  changes{sj)  =  0  for  i  ^  j.  Formally,  changes  is 
definer'  as  follows; 

(a)  changes{vi  :=  e)  =  {ui}. 

(b)  changes(eo  sq  |  . . .  |  e„_i  s„.i)  =  Ur=o  changes(si). 

(c)  changes(so; . . .  ;s„-i)  =  UrJo  changes(si). 

(d)  changes{so  |(  . . .  (|  *'n-c)  =  U”="o  changes(si} 

Both  of  these  restrictions  can  be  eliminated,  but  since  Co  is  only 
being  used  for  illustrative  purposes,  we  choose  to  keep  things 
simple. 

5.  Programs:  a  program  is  a  pair  of  statements 

statement  Si„it  is  used  to  set  up  the  initial  states  from  whicli  the 
program  begins  execution.  At  that  point,  we  proceed  by  executing 
Strans  repeatedly.  (Thus  the  notation:  the  u;  is  intended  to  suggest 
infinite  execution  of  Strans  following  one  execution  of  .Si„ii.)  To 
derive  the  actual  set  of  initial  states,  we  execute  s,„,(  starting 
from  an  arbitrary  state;  any  state  that  is  reached  as  a  result  is  an 
initial  state. 

The  state  space  of  an  Cq  program  will  be  a  set  of  tuples  of  valuations 
over  a  collection  A  =  • . .}  of  state  components.  The  variable 

V,  within  a  program  is  used  to  refer  to  the  value  of  component  Oj  within 
a  state,  or  to  specify  how  the  value  of  that  component  changes.  Note 
that  we  have  not  specified  the  operators  that  are  allowed  in  expressions 
in  an  Cq  program,  but  the  exact  ones  are  not  important. 
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Before  giving  a  formal  semantics  for  Co,  we  start  with  an  intuitive 
description.  Expressions  will  have  their  usual  meanings.  An  assignment 
statement  Uj  :=  e  sets  the  value  of  the  component  to  the  result  of 
evaluating  e.  To  execute  a  conditional  eo  — ♦  so  |  -  -  •  |  Cn-i  — ♦  Sn-i,  we 
evaluate  all  of  the  expressions  e^,  each  of  which  should  yield  a  boolean 
value.  Next,  we  choose  an  i  for  which  e,  is  true  (there  must  be  at  le<ist 
one),  and  then  execute  the  corresponding  s^.  Multiple  e,  being  true 
gives  rise  to  nondeterminism.  For  a  sequential  composition  sq;  •  -  • :  -Sn-i, 
we  execute  the  in  order,  s^+i  is  executed  starting  from  the  state  where 
s,  finished.  To  execute  the  parallel  composition  so  ||  . . .  jj  •»„_!,  we  first 
execute  each  Si  starting  from  the  current  state.  Then,  we  merge  the 
result  of  each  of  these  executions  to  obtain  the  result  of  executing  the 
parallel  composition.  The  merging  is  done  as  follows:  if  s,  sets  the 
value  of  state  component  Oj  to  the  value  of  e,  then  the  value  of  aj  after 
execution  of  the  parallel  composition  will  be  the  value  of  e.  In  order  to 
ensure  that  different  Si  do  not  set  the  same  aj  to  conflicting  values,  we 
require  that  different  Si  cannot  assign  to  the  same  variable.  This  is  the 
reason  for  introducing  the  function  changes  above. 

Example  4.7  Consider  the  Collatz  problem  (the  “3x  +  1  problem”). 
You  are  given  a  natural  number  i  and  asked  to  apply  the  following 
procedure.  If  x  is  odd,  multiply  it  by  three  and  add  one;  if  it  is  even, 
divide  it  by  two.  If  this  procedure  is  repeated  continually,  will  you  al¬ 
ways  reach  z  =  1?  (The  answer  to  this  question  is  currently  unknown.) 
An  Co  program  that  executes  steps  of  the  3x-|- 1  problem  for  the  initial 
value  42  is  shown  in  figure  4.6.  We  will  come  back  to  this  program 
when  we  consider  the  process  of  direct  abstract-level  compilation.  □ 

We  now  proceed  to  give  the  formal  semantics  of  Co-  Since  we  are 
interested  in  producing  initial  state  and  transition  relations,  a  relational 
semantics  is  most  natural.  For  simplicity,  we  will  assume  that  the  set  of 
state  components  (and  corresponding  variables)  is  fixed,  and  that  the 
domains  of  values  for  these  components  is  likewise  fixed.  In  a  practical 
language  of  course,  these  would  be  specified  within  the  program.  We 
also  ignore  type  checking  issues:  a  given  state  component  can  only 
hold  certain  values,  and  2issignments  to  the  corresponding  variable  must 
respect  this.  In  order  to  give  semantics  for  conditionals,  we  need  to  be 
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1  INITIAL 

2  X  42 

3  TRANSITIONS 

4  even?(x)  ->  x  :■  x/2 

5  I  odd?(x)  ->  X  :■  x+x+x; 

6  X  :*  x+1 

Figure  4.6:  Example  £o  program 

able  to  specify  that  an  expression  evaluates  to  true.  For  simplicity,  we 
assume  that  true  is  a  special  data  value,  and  that  it  is  left  fixed  by  the 
abstraction  mapping. 

The  semantics  will  be  in  terms  of  a  meaning  function,  denoted  as  (•], 
which  we  take  as  assigning  meanings  to  expressions,  statements,  and 
programs.  The  meaning  of  an  expression  will  be  a  function  that  takes  a 
state  of  the  system  and  returns  the  value  of  that  expression  when  evalu¬ 
ated  at  that  state.  Following  standard  notational  conventions,  we  write 
this  in  curried  form:  [e]<T  means  take  e,  find  its  meaning  (a  function 
from  states  to  values),  and  apply  this  function  to  the  state  cr.  States 
of  the  system  are  viewed  as  valuations,  i.e.,  maj)pings  from  variables  to 
values.  The  meaning  of  a  statement  is  a  relation  between  states  that  is 
true  iff  executing  the  statement  starting  in  the  first  state  can  result  in 
the  second  state.  If  the  statement  s  can  take  us  from  state  a  to  state  <t', 
we  write  (t').  The  meaning  of  a  program  will  be  a  structure.  The 

semantics  are  parameterized  by  concrete  functions  that  correspond  to 
the  operators  appearing  in  the  expressions. 

Definition  4.6  The  standard  sernautics  for  Co  (over  concrete  func¬ 
tions  /o,  /i,  ■  •  •  )  is  defined  as  follows: 

1.  Expressions: 

(a)  The  meaning  of  a  variable  in  a  particular  state  is  just  the 
value  of  the  variable  in  the  state: 


[u,J<T  =  (T(Ui). 
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(b)  The  meaning  of  a  function  invocation  fi(eo, . . . ,  e„_i)  is  the 
result  of  first  evaluating  the  meaning  of  each  e,  (in  <r)  and 
then  applying  fi  to  the  result: 

[/i(eo, . . . ,  e„_i  )\a  =  /i([eo)<T, . . . ,  [e„_,]l<T). 


2.  Statements: 

(a)  An  assignment  statement  Vi  =  e  takes  us  between  the  states 
<7  and  cr'  when  a'  is  obtained  from  <t  by  first  evaluating  the 
expression  e  in  the  state  cr  and  then  setting  the  value  of  v, 
in  cr'  to  the  result:  [ui  :=  e](<7,  <t')  iff  cr'  =  cr[[ejcr/i;,]. 

(b)  For  a  conditional,  we  evaluate  all  of  the  guards  in  the  state  cr, 
choose  one  which  is  true,  and  then  execute  the  corresponding 
statement  to  take  us  between  cr  and  cr': 

(eo  -»  I  •  •  •  I  Cn-I  s„-il(cr,cr') 
iff  there  exists  i  such  that 

{[e.Jcr  =  true)  A  [s,|(cr,cr'). 

(c)  For  a  sequential  composition,  we  just  execute  each  statement 
in  turn. 

[.So; . . .  ;s„_il(cr,(r') 

iff  there  exists  (Tq,  . . . ,  cr^  such  that  (Tq  =  <7,  cr„  =  cr',  and  for 
all  0  <  2  <  n,  [.s,J(cr,,  cr,+  i). 

(d)  In  a  parallel  composition,  recall  that  we  have  a  syntactic 
restriction  that  two  different  statements  in  the  composition 
cannot  change  the  same  variable.  Thus,  to  get  the  effect 
of  parallel  execution,  we  just  execute  each  statement  in  the 
composition  starting  from  the  state  cr.  Then  we  fold  all 
of  the  changes  that  the  statements  make  together  to  get  cr'. 
Because  of  the  above  restriction,  we  cannot  run  into  conflicts 
when  doing  the  merging. 

[so  II  ...  II  S„_,J(<T,(7') 

iff  there  exists  (Tq,  . . . ,  cr„_i  such  that  [si](o’,  <7^)  and: 
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i.  (t'(vj)  =  <Ti{vj)  when  there  exists  a  (unique)  i  such  that 
Vj  €  changes(si); 
ii.  <T'(vj)  =  cr(vj)  otherwise. 

3.  Programs;  The  meaning  of  a  program  ^he  following 

structure. 

(a)  5  is  the  set  of  all  valuations  cr. 

(b)  For  the  initial  states,  we  execute  Sinit  from  an  arbitrary  state. 

Thus,  €  /  iff  there  exists  cr  such  that  cr'). 

(c)  The  possible  transitions  are  those  that  are  allowed  by  Stran*: 

R  ~  I-S  trail*!  • 

(d)  The  labeling  of  a  state  is  just  given  by  the  state:  L{cr,a,)  = 

(T(Vi). 

(e)  F  =  0. 

We  now  turn  to  the  problem  of  compiling  an  £o  program  in  order 
to  obtain  an  approximation  to  the  actual  meaning  of  the  program.  We 
will  cissume  that  the  value  of  the  variable  Vi  is  to  be  abstracted  by  the 
mapping  hi,  i.e.,  hi  is  a  mapping  from  Da,  (the  domain  for  v,)  to  D~ 
(the  abstract  domain  for  this  same  variable).  Now  we  want  to  work  di¬ 
rectly  over  abstract  domain  elements  in  order  to  avoid  having  to  apply 
ail  abstraction  such  as  abs„  after  the  comiiilaliun  process.  By  working 
in  the  abstract  domain,  we  generally  lo.se  information.  As  a  result.  w«' 
often  cannot  tell  exactly  what  the  value  of  an  expression  should  be. 
For  example,  suppose  the  concrete  domain  that  we  are  considering  is 
the  natural  numbers,  and  say  that  the  subtraction  m  —  n  is  defined  to 
produce  0  when  m  <  n.  Also  tissume  that  the  abstract  value  corre¬ 
sponding  to  a  number  is  equal  to  the  value  of  number  modulo  5.  Given 
just  the  values  of  m  and  n  modulo  5,  we  cannot  tell  exactly  what  the 
value  of  rn  —  n  modulo  5  will  be.  On  the  other  hand,  we  do  have  some 
information;  it  must  be  either  0  (if  m  <  n)  or  m  —  n  modulo  5  (if 
m  >  n).  We  will  capture  this  uncertainty  by  using  a  relation  to  rep¬ 
resent  the  value  of  an  expression.  When  the  relation  corresponding  to 
an  expression  is  true  for  some  abstract  domain  element,  it  intuitively 
indicates  that  the  expression  may  evaluate  to  that  abstract  value.  Of 
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course,  this  uncertainty  also  appears  at  the  level  of  the  primitive  op¬ 
erators  that  appear  in  expressions,  and  hence  the  semantics  now  will 
depend  on  a  set  of  relations  rather  than  on  a  set  of  functions  as  above. 
There  will  be  a  relation  for  each  function,  and  we  will  denote  the  re¬ 
lation  corresponding  to  /,  by  Pf,.  While  we  want  P/,  to  overestimate 
the  possible  values  of  /i,  we  do  not  want  to  be  too  conservative.  For 
example,  while  having  P/,  be  the  universal  relation  (i.e.,  saying  that  fi 
could  produce  any  value)  would  give  a  valid  approximation,  we  would 
not  be  able  to  prove  anything  interesting  by  examining  the  abstract 
structure.  Thus,  we  want  to  include  only  those  values  that  are  strictly 
necessary.  This  suggests  the  following:  we  take  P/,(do, . . . ,  d„_i ,  d)  ilf 

n—  1  ^  ^ 

3do  . .  .d„_id[/\  h{d,)  ~  (1,  A  h(d)  -  dA  /.(do, . . . , d„_, )  =  d]. 

1=0 

(Here,  we  are  abusing  notation  and  writing  h{d)  for  d  6  Da,  to  denote 
hi(d).)  That  is,  P/,  is  true  for  do.  •••.  d„_j,  d  when:  given  arguments 
whose  abstract  values  are  do,  ... ,  d„_i,  fi  could  produce  a  result  whose 
abstract  value  is  d.  Now  we  define  the  approximating  semantics  for  Co 
programs.  Recall  that  we  are  now  going  to  be  compiling  entirely  at  the 
abstract  level. 

Definition  4.7  The  upper  approximating  semantics  for  Co  (over  the 
relations  Pj^,  Pj^,  . .  .)  is  denoted  by  [•]„  and  is  dcfine<l  as  follows: 

1.  Expressions:  Recall  that  the  meaning  of  an  expression  will  be  a 
relation  that  is  true  for  an  abstract  value  d  when  it  a|)pears  that 
the  actual  value  d  could  be  such  that  h(d)  =  d. 

(a)  The  meaning  of  a  variable  reference  u,  is  a  relation  that 
is  true  for  d  when  the  actual  value  of  v,  could  map  to  d. 
However,  the  abstract  value  of  n,  is  given  by  the  state  a. 
Thus,  (Iu,lu(T)(d)  iff  a{v,)  =  d. 

(b)  For  a  function  application  /i(eo, . . . ,  e„_j ),  we  want  to  eval¬ 

uate  the  arguments  and  then  apply  fi.  When  we  evaluate 
the  argument  e,,  we  get  the  relation  specifying  the 

possible  abstract  values  of  e^.  Now  Pj^  tells  us  the  possi¬ 
ble  abstract  values  of  /,  given  a  sequence  of  abstract  inputs. 
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Thus,  we  simply  look  at  all  the  possible  sequences  of  abstract 
inputs  and  check  P/,  for  each  sequence. 

((/.(eo,- )I„(T)(d) 

iff 

Bdo  .  .  .  dn—l  (( [®olu^)(^o)  A  •  •  •  A  ([Cn— l]u^ )(^n— 1  ) 

A  P/.(<^o,  •  •  ^dn-ud)]. 


2.  Statements: 

(a)  For  an  assignment  w,  :=  e,  we  again  just  want  to  replace 
the  next  state  value  of  v;  with  the  value  of  e.  The  possible 
values  of  e  are  given  by  the  relation  [e\ud^,  so  we  just  allow 
£r'(T;,)  to  be  any  value  satisfying  this  relation. 

In,  :=  e]u(^,(T') 

iff  there  exists  d  such  that  ((e]„d')(d)  {d  is  a  possible  value 
of  e)  and  a'  = 

(b)  For  a  conditional,  we  want  to  evaluate  each  guard  and  then 
choose  one  which  is  true.  However,  we  cannot  necessarily  tell 
the  exact  value  of  each  guard.  In  order  to  sitiudate  what  tlu* 
actual  program  might  do,  we  allow  execution  t)f  a  stalemeiii 
s,  whenever  the  corresponding  guard  e,  could  be  true. 

Jco  ^  So  I  ...  I  C,,_  I  >  S,i_  I  |u((T.  <7  ) 

iff  there  exists  i  such  that  ([e,|„5’)( true)  (e,  could  be  true) 
and  [.s.j„(5-,<T'). 

(<■)  I  l«  sequential  compositions  and  parallel  compositions 
is  defined  in  the  same  manner  as  I  ]  back  in  definition  l.(). 
(This  is  because  the.se  operations  do  not  directly  involve  eval¬ 
uating  expressions.) 

3.  Programs:  The  program  •'^init;  evaluates  to  a  struc¬ 

ture  M ,  but  this  time  it  is  over  abstract  state  components.  Other 
than  this,  the  definition  is  analogous  to  that  for  [■Si,»it;  "S^ranJ- 
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(a)  S  is  the  set  of  all  valuations  5. 

(b)  (t'  6  /  iff  there  exists  3  such  that 

(c)  R  —  ^•5translu• 

(d)  L{3,d,)  =  3{vi). 

(e)  F  =  0. 

Now  in  order  to  be  able  to  use  our  approximating  semantics  for 
verification  purposes,  we  need  that  abs„([si„it;  ■sj'ransl)  -  <ranslu- 

VVe  actually  have  the  following  stronger  result,  whose  proof  is  deferred. 

Theorem  4.2  Let  be  an  Co  program.  Then 

C'o//apse(abSu(|sinii,  •^transl'*’ 


Since  M  :<  collapse{M)  for  all  structures  M,  this  implies 

abSudsinitl  ^  ^transl“’ 

Example  4.8  Consider  the  program  of  example  4.7.  Suppose  that  we 
abstract  x  by  mapping  even  natural  numbers  to  even  and  odd  ones 
to  odd.  First,  let  us  compute  the  Pj,  used  in  the  program.  We  have 
predii  Hit's  ot/t/y  Hiid  tvtn'^  mapping  natural  numbers  to  booleans,  and 
we  have  additiuri  and  integer  division.  Then,  as  experled.  we  gel 

Podd!  =  {(odd,  true),  (even,  false)} 


and 


Peven!  =  {(odd ,  falsc),  (cveu ,  truc) } . 


Addition  also  behaves  nicely: 


P+  =  {(odd,  odd,  even),  (even,  even,  even), 

(odd,  even,  odd), (even,  odd,  odd)}. 


With  division,  however,  we  find  that  Pj  is  the  universal  relation.  (We 
also  have  the  obvious  relations  representing  the  constants  1  and  2  that 
are  used  in  the  program.)  Now  we  begin  assigning  meaning  to  the 
pieces  of  the  program. 
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Consider  the  expression  i+  1.  What  is  the  meaning  that  the  approx¬ 
imating  semantics  assigns  to  this  expression?  Recall  that  l[x  +  l)u5^  is 
supposed  to  be  a  relation  representing  possible  abstract  values  of  x  4-  1 
given  that  x  has  the  abstract  value  ^■(x).  Let  us  consider  the  ab¬ 
stract  value  odd  and  determine  when  it  can  be  in  [x  +  l]ud^- 
have  that  odd  is  a  possible  value  iff  there  exist  do  and  di  (chosen 
from  {even,  odd})  such  that  P+{do,di,  odd)  and  ([xJu?)(do)  and  Pi(di ). 
Since  Pi  is  only  true  for  the  abstract  value  odd,  we  must  have  dj  =  odd. 
riien  P.,.(do,  odd,  odd)  is  only  true  for  do  =  even,  lleiu  e  we  must 
have  ( [xJu^K euen ),  i.e.,  x  must  have  the  abstract  value  even,  and  so 
a{x)  =  even.  In  summary,  we  find  that  x  must  have  the  abstract  value 
even  for  x  +  I  to  evaluate  to  the  abstract  value  odd.  Similarly,  x  must 
be  odd  for  X  4-  1  to  give  even.  Using  the  above,  we  can  derive  the 
relation  [x  :=  x  4-  Iju-  Recall  that  this  relation  tells  us  the  po.ssiI)le 
abstract  state  changes  that  can  occur  when  we  execute  x  :=  x  4-  1-  If 
we  identify  a  valuation  by  the  value  it  assigns  to  x,  then 

|x  :=  X  4-  llu  =  {(odd.  even  ),  ( even,  odd)} . 

For  X  :=  X  4-  X  4-  X,  we  obtain 

[x  :=  X  -f  X  4-  j;Ju  =  {(odd,  odd),  (even,  even  )}. 
taking  tlie  relational  product; 

Jx  ;=  X  4-  X  4-  x;  X  :=  X  4-  Iju  =  {((^dd,  even  ),  (  even  .  odd)}. 

For  r  :=  x/2,  w<>  get  the  imiv«‘rsal  relation.  Fvalnating  the  condit  ional, 
we  obtain  the  final  transition  relation 

{ ( odd.  even ),  ( even,  even  ),  { (  ven ,  odd)}. 

From  this  abstract  compilation,  we  can  tell  that  tlie  system  wouhl  sat¬ 
isfy  the  property:  “if  x  is  odd,  then  one  step  later,  .c  will  be  even”. 
□ 


In  implementing  the  above  ideas,  the  main  dilficulty  is  in  produc¬ 
ing  the  Pf,.  When  performing  a  verification,  the  user  must  have  a  lot 
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of  flexibility  in  constructing  abstractions.  Contrast  this  with  the  situa¬ 
tion  where  abstract  interpretation  is  being  used  by  a  compiler  to  gather 
data-flow  information  for  optimization  purposes.  Here,  if  the  abstrac¬ 
tion  is  not  precise  enough  to  prove  that  a  particular  optimization  is  safe, 
then  the  program  will  simply  run  a  bit  slower.  In  verification,  when  the 
user  decides  that  the  current  abstraction  is  not  precise  enough  to  prove 
some  property,  she  must  have  the  flexibility  to  modify  the  abstraction 
in  order  to  try  to  capture  the  information  required.  Obviously,  making 
the  user  provide  new  Pj^  each  time  the  abstraction  changes  is  extremely 
tedious  and  error-prone.  Also,  we  have  found  that  we  often  need  to 
make  up  new  abstractions  during  the  course  of  a  verification.  Hence, 
having  a  fixed  “catalog”  of  allowed  abstractions  is  not  an  option.  The 
alternative  is  to  have  the  user  provide  only  the  abstraction  mapping 
(the  hj)  for  each  variable  and  to  let  the  compiler  produce  the  P/,  as 
needed.  This  requires  the  ability  to  evaluate  the  relational  products 

3do..  .d,,.id[f\  h{d,)  =  d,  A  h(d)  =  d  A  f,{do, . . .  ,dn-\)  = 

1=0 

automatically.  In  a  BDD-based  compiler,  this  is  feasible:  HDDs  es¬ 
sentially  give  us  a  way  for  manipulating  sets,  relations,  and  functions 
over  finite  domains.  This  is  the  approach  we  used  in  developing  the 
prototype  compiler  described  in  the  next  section. 


4.3  Example  Abstractions 

In  this  section,  we  discuss  .some  abstractions  which  have  proved  u.seful 
in  practice.  Each  is  illustrated  with  a  small  example.  These  examples 
are  drawn  from  the  paper  by  Clarke,  Grumberg,  and  Long  [30].  The 
examples  will  be  given  using  a  finite  state  language  that  is  suitable  for 
describing  Moore  machines.  The  main  features  of  this  language  are: 

1.  It  is  procedural  and  contains  a  variety  of  structured  programming 
constructs,  such  as  while  loops.  Non-recursive  procedures  are 
also  available. 

1.  It  i.s  liuile  slate.  The  user  must  specify  a  fixed  number  of  bits  for 
each  input  and  output  in  a  program. 
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3.  In  keeping  with  the  Moore  machine  semantics,  the  model  of  com¬ 
putation  is  a  synchronous  one.  At  the  start  of  each  time  step, 
inputs  to  the  program  are  obtained  from  the  environment.  All 
computation  in  a  program  is  viewed  as  instantaneous  (i.e.,  occur¬ 
ring  in  zero  time).  There  is  one  special  statement,  wait,  which  is 
used  to  indicate  the  passage  of  time.  When  a  wait  statement  is 
encountered,  any  changes  to  the  program’s  outputs  become  visi¬ 
ble  to  the  environment,  and  a  new  time  step  is  initiated.  Thus, 
computation  proceeds  as  follows:  obtain  inputs,  compute  (in  zero 
time)  until  a  wait  is  encountered,  make  output  changes  visible, 
obtain  new  inputs,  etc.  The  wait  statements  indicate  the  control 
points  in  the  program. 

Aside  from  the  wait  statement,  most  of  the  language  features  used  in 
the  examples  are  self-explanatory.  Additional  features  will  be  described 
in  more  detail  as  needed. 

We  implemented  a  prototype  compiler  to  take  programs  written  in 
the  language  and  compile  them  down  into  Moore  machines.  During 
the  compilation  process,  BDDs  for  the  initial  states  and  transitions  of 
the  program  are  produced  by  symbolic  execution.  When  a  program  is 
compiled,  the  user  may  also  specify  abstractions  for  some  of  the  inputs 
or  outputs.  These  abstractions  are  given  by  simply  specifying  the  func¬ 
tions  hi.  By  using  the  techniques  described  previously,  the  compiler 
directly  generates  an  abstract  Moore  machine.  There  are  a  number  of 
abstractions  built  into  the  compiler,  some  of  which  are  described  be¬ 
low.  In  addition,  the  user  may  define  new  abstractions  by  supplying 
procedures  to  build  the  BDDs  representing  the  abstraction  function. 
Abstract  versions  of  the  language  primitives  are  computed  automat¬ 
ically  by  the  compiler  as  needed  during  the  compilation.  Since  the 
language  is  much  more  complex  than  Co,  we  will  not  give  its  formal 
semantics  or  the  approximating  semantics  here. 

Figure  4.7  is  a  small  example  program,  a  settable  countdown  timer. 
The  timer  has  two  inputs,  set  and  start,  which  are  one  and  eight  bits 
wide  respectively.  There  are  also  two  outputs:  count,  which  is  eight 
bits  wide  and  is  initially  zero;  and  alarm,  which  is  one  bit  and  initially 
one.  At  each  time  step,  the  operation  of  the  counter  is  as  follows.  If 
seA  is  one,  then  the  counter  is  set  to  the  value  of  start.  Otherwise,  if 
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the  counter  is  not  zero,  it  is  decremented.  The  alarm  output  is  set  to 
one  when  count  is  zero,  and  to  zero  if  count  is  nonzero. 

1  input  set[l]; 

2  input  start [8] ; 

3  output  count [8]  :»  0; 

4  output  alarm [1]  :*  1 

5  loop 

6  if  set  »  1 

7  count  :*  start 

8  else  if  count  >  0 

9  count  ;*  count- 1 

10  endif ; 

11  if  count  *  0 

12  alarm  :*  1 

13  else 

14  alarm  :»  0 

15  endif; 

16  wait 

17  endloop 


Figure  4.7:  An  example  program 


4.3.1  Congruence  modulo  an  integer 

For  verifying  programs  involving  arithmetic  operations,  a  useful  ab¬ 
straction  is  congruence  modulo  a  specified  integer  in: 

h{i)  =  i  mod  m. 

This  abstraction  is  motivated  by  the  following  properties  of  arithmetic 
modulo  m. 

((i  mod  m)  -t-  [j  mod  m))  mod  m  =  i  +  j  (mod  m) 

({i  mod  m)  —  (j  mod  in))  mod  m  =  i  —  j  (mod  in) 

{{i  mod  Tn}{j  mod  m))  mod  m  =  ij  (mod  m) 
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In  other  words,  we  can  determine  the  value  modulo  m  of  an  expression 
involving  addition,  subtraction  and  multiplication  by  working  with  the 
values  modulo  m  of  the  subexpressions. 

The  abstraction  may  also  be  used  to  verify  more  complex  relation¬ 
ships  by  applying  the  following  result  from  elementary  number  theory. 

Theorem  4.3  (Chinese  remainder  theorem)  Let  mi,  mj, . . . ,  m„ 
be  positive  integers  which  are  pairwise  relatively  prime.  Define  m  = 
m\m2  . . .  m„,  and  let  6,  ii,  I'a,  . . . ,  be  integers.  Then  there  is  a  unique 
integer  i  such  that 

b  <  i  <  b  +  m  and  i  =  ij  (mod  nij)  for  1  <  j  <  n. 

Suppose  that  we  are  able  to  verify  that  at  a  certain  point,  the  value  of 
the  nonnegative  integer  variable  x  is  equal  to  ij  modulo  rrij  for  each  of 
the  relatively  prime  integers  mi,  mj,  ...,  m„.  Further,  suppose  that 
the  value  of  x  is  constrained  to  be  less  than  mim2...m„  (e.g.,  x  is 
represented  using  k  bits  and  2*'  <  mim2  •  •  •  ^n)-  Then  using  the  above 
result,  we  can  uniquely  determine  the  value  of  x  at  that  point  from  the 

ij. 

We  illustrate  this  abstraction  using  a  16  bit  by  16  bit  unsigned 
multiplier  (see  figure  4.8).  The  program  has  inputs  reg,  ini  and  in2. 
The  last  two  inputs  provide  the  factors  to  operate  on,  and  the  first  is 
a  request  signal  which  starts  the  multiplication.  Some  number  of  time 
units  later,  the  output  ack  will  be  set  to  true.  At  that  point,  either 
output  gives  the  16  bit  result  of  the  multiplication,  or  overflow  is  one 
if  the  multiplication  overflowed.  The  multiplier  then  waits  for  req  to 
become  zero  before  starting  another  cycle.  The  multiplication  itself  is 
done  with  a  series  of  shift-and-add  steps.  At  each  step,  the  low  order 
bit  of  the  first  factor  is  examined;  if  it  is  one,  then  the  second  factor 
is  added  to  the  accumulating  result.  The  first  factor  is  then  shifted 
right  and  the  result  is  shifted  left  in  preparation  for  the  next  step.  One 
feature  of  the  language  which  the  program  uses  is  the  ability  to  extend 
an  operand  to  a  specified  number  of  l>its  (lines  21  and  27),  indicated 
using  the  colon  operator.  This  facility  is  used  to  extend  output  and 
factor2  when  adding  and  shifting  so  that  overflow  can  be  detected. 
The  statement 

(overflow,  output)  :*  (output : 17) +factor2 


4.3.  EXAMPLE  ABSTRACTIONS 


145 


sets  output  to  the  16  bit  sum  of  output  and  factorS  and  overflow  to 
tlie  carry  from  this  sum.  Also,  <<  is  used  to  indicate  left  shift  by  the 
indicated  number  of  bits,  and  right  shifts  are  indicated  with  >>.  The 
break  statement  is  used  to  exit  the  innermost  loop. 

The  specification  we  would  like  to  use  for  the  multiplier  is  a  series 
of  formulas  of  the  following  form. 

AG{waiting  A  req  A  {ini  mod  m  =  t)  A  {in2  mod  m  =  j) 

— *  Ai-'ack  U  ack  A  {overflow  V  {output  mod  m  =  k)))) 

Here,  i  and  j  range  from  0  through  m  —  I,  k  =  ij  mod  m,  and  waiting 
is  an  atomic  proposition  which  is  true  when  execution  is  at  line  13  in 
the  program.  Since  verifying  liveness  properties  such  as  those  involv¬ 
ing  the  until  operator  tends  to  be  more  complex  than  verifying  safety 
properties,  we  will  actually  check  the  following  weaker  properties: 

AG{waiting  A  req  A  {ini  mod  m  =  a)  A  {in2  mod  m  =  j) 

—*  A{-‘ack  W  ack  A  {overflow  V  {output  mod  m  =  A:)))). 

The  operator  W  is  the  weak  until  operator;  it  is  like  U,  but  the  second 
argument  is  not  required  to  ever  become  true.  In  general,  A{f  W  g)  is 
equivalent  to  A{g  V  f  y  g).  We  will  later  verify  (using  a  different  ab¬ 
straction)  that  eventually  an  acknowledgment  is  always  received.  Then, 
using  the  tableau  construction,  the  combination  of  these  two  properties 
can  then  be  checked  to  imply  the  original  specification. 

To  verify  the  properties  described  above,  the  input  in2  and  the 
outputs  factor2  and  output  were  all  abstracted  modulo  m.  The  output 
factorl  and  its  corresponding  input  ini  were  not  abstracted,  since  the 
entire  bit  pattern  of  factorl  is  used  to  control  when  factorS  is  added  to 
output.  We  performed  the  verification  for  m  =  5,  7,  9,  11  and  32.  These 
numbers  are  relatively  prime,  and  their  pro<luct,  110,880.  is  sufficient 
to  cover  all  2'**  possible  values  of  output.  Now  we  would  like  to  use 
theorem  4.3  to  deduce  the  following  class  of  properties: 

AG{xvaiting  A  req  A  {ini  =  i)  A  {in2  =  j) 

—*  A{-<ack  W  ack  A  {overflow  V  {output  =  ij)))). 

In  order  to  do  this,  we  need  to  argue  that  we  know  the  value  of  output 
modulo  the  different  values  of  m  at  the  same  time  point.  Our  property 
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1  input  ini [16]; 

2  input  in2[16]; 

3  input  req; 

4  output  factorl[l6]  :*  0; 

5  output  factor2[l6]  ;*  0; 

6  output  output [16]  :*  0; 

7  output  overflow  :»  0; 

8  output  ack  :*  0 

9  procedure  waitfor(e) 

10  while  !e  wait  endwhile 

1 1  endproc 

12  loop 

13  waitfor(req) ; 

14  f actor 1  :=  ini;  factor2  :=  in2; 

15  output  :*  0;  overflow  :»  0;  wait; 

16  loop 

17  if  (factorl  »  0)  I  (overflow  »  1) 

18  bre^Lk 

19  endif; 

20  if  factorl  [O]  =  1 

21  (overflow,  output)  :=  (output ; 17) +factor2 

22  endif ; 

23  factorl  :=  factorl  »  1;  wait; 

24  if  (factorl  =  0)  |  (overflow  =  1) 

25  break 

26  endif; 

27  (overflow,  factor2)  :*  (factor2:17)  <<  1; 

28  wait 

29  endloop ; 

30  ack  : =  1 ;  wait ; 

31  waitf or( ! req) ; 

32  ack  :=  0 

33  endloop 


Figure  4.8:  A  16  bit  multiplier 
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was  in  fact  chosen  so  that  this  is  the  case:  we  know  something  about 
the  value  of  output  at  the  point  where  ack  is  first  2isserted. 

The  entire  verification  required  slightly  less  than  30  minutes  of  CPU 
time  on  a  Sun  4.  We  also  note  that  because  the  BDDs  needed  to  repre¬ 
sent  multiplication  grow  exponentially  with  the  size  of  the  multiplier, 
it  would  not  have  been  feasible  to  verify  the  multiplier  directly.  Fur¬ 
ther,  even  checking  the  above  formulas  on  the  unabstracted  multiplier 
proved  to  be  impractical.  Note  that  the  specification  above  admits  the 
possibility  that  the  multiplier  always  signals  an  overflow.  We  verified 
that  this  is  not  the  case  using  the  abstraction  described  in  the  next 
subsection. 


4.3.2  Representation  by  logarithm 

When  only  the  order  of  magnitude  of  a  quantity  is  important,  it  is 
sometimes  useful  to  represent  the  quantity  by  (a  fixed  precision  ap¬ 
proximation  of)  its  logarithm.  For  example,  suppose  i  >  0.  Define 

•g»  =  nog2(*+  l)L 

i.e.,  Igz  is  0  if  i  is  0,  and  for  i  >  0,  Igt  is  the  smallest  number  of  bits 
needed  to  write  i  in  binary.  We  take  h{i)  =  Igi. 

As  an  illustration  of  this  abstraction,  consider  again  the  multiplier  of 
figure  4.S.  Recall  that  a  multiplier  which  always  indicated  an  overflow 
would  satisfy  our  previous  specification.  We  note  that  if  Igi  -)-  \gj  < 
16,  then  Igi^  <  16,  and  hence  the  multiplication  of  i  and  j  should 
not  overflow.  Conversely,  if  Igi  -|-  Igj  >  18,  then  Igzj  >  17,  and  the 
multiplication  of  i  and  j  will  overflow.  When  Igi  -f  Igjf  =  17,  we 
cannot  say  whether  overflow  should  occur.  These  observations  lead  us 
to  strengthen  our  specification  to  include  the  following  two  formulas. 

AG{  waiting  A  irqA{\g  in  I  +\gin2  <  16)  — ►  A{-‘ack'W  ack  A ->  overflow)) 
AG{wattingAreqA{\gint4-\gin2  >  18)  — »  A(-'ack'W  ack  Aoverflotv)) 

We  represented  all  the  16  bit  variables  in  the  program  by  their  loga¬ 
rithms.  Compiling  the  program  with  this  abstraction  and  checking  the 
above  properties  required  less  than  a  minute  of  CPU  time.  We  can  also 
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use  this  abstraction  to  verify  that  the  program  does  evpiituaJly  give  an 
acknowledgment. 

AG(waiting  A  req  — »  A{-<ack  U  ack)) 

Checking  this  required  only  a  few  seconds  of  CPU  time.  To  ensure  that 
we  can  in  fact  conclude  the  stronger  specifications  such  as 

AG(wjaitm5Are^A(!g  in/ +lg  in5  <  16)  -+  A{-<acklJackA~'Overflow)), 

we  verified  that 


AG(pi  A  p2  -»  A(-'P3  W  P3  a  P4)) 

and 

AG(pi  -*•  A(-’P3  U  ps)) 

implies 

AG(p,  Ap2  ->■  Ai^psV  P3AP4)). 

Instantiating  pi  with  waiting  A  req,  pz  with  ack,  and  p2  and  p4  as 
appropriate  proves  the  desired  properties. 

4.3.3  Single  bit  and  product  abstractions 

For  programs  involving  bitwise  logical  operations,  the  follovvii\g  abstrac¬ 
tion  is  often  useful: 

h{i)  =  the  jth  bit  of  i, 
where  j  is  some  fixed  number. 

If  h\  and  hi  are  abstraction  mappings,  then  h{i)  =  [h\{i),hi{i)) 
also  defines  an  abstraction  mapping.  Using  this  type  of  abstraction, 
it  may  be  possible  to  verify  properties  that  it  is  not  possil)le  to  verify 
with  either  or  hi  alone. 

As  an  example  of  using  these  types  of  abstractions,  consider  the 
program  shown  in  figure  4.9.  This  program  reads  an  initial  16  bit 
input  and  computes  the  parity  of  it.  The  output  done  is  set  to  one 
when  the  computation  is  complete;  at  that  point,  parity  has  the  result. 
The  operator  "  used  on  line  8  denotes  exclusive-or.  Let  jji  be  true  if  the 
parity  of  i  is  odd.  One  desired  property  of  the  program  is  the  following. 


4.4.  ABSTRACTION  VIA  OBSERVERS  149 

1.  The  value  assif^ed  to  6  has  the  same  parity  as  that  of  in;  and 

2.  tt^  0  parity  is  invariant  from  that  point  onwards. 

We  can  express  the  above  with  the  following  formula. 

->Ijm  A  AX(-’|6  A  AG  ->(jt60  parity))  V  fin  A  AX(j|6  A  AG(lt60  parity)) 

To  verify  this  property,  we  used  a  combined  abstraction  for  in  and  b. 
Namely,  we  grouped  the  possible  values  for  these  variables  both  by 
the  value  of  their  low  order  bit  and  by  their  parity.  The  verification 
required  only  a  few  seconds  (note  however,  that  this  example  is  simple 
enough  to  check  directly  with  a  BDD-based  verifier). 


1  input  in [16]  ; 

2  output  parity [l]  :=  0; 

3  output  b[16]  ;»  0; 

4  output  doneCl]  :*  0 

5  b  :*  in; 

6  wait ; 

7  while  b  !=  0 

8  parity  :*  parity  “  bCO] ; 

9  b  :=  b  »  1; 

10  wait 

11  endwhile; 

12  done  ;*  1 


Figure  4.9;  A  parity  computation  program 

In  chapter  5,  we  will  consider  another  very  powerful  type  of  abstrac¬ 
tion.  Now  however,  we  turn  to  a  method  for  abstracting  the  temj^oral 
behavior  of  a  system. 


4.4  Abstraction  Via  Observers 


The  abstractions  defined  previously  give  us  a  methotl  for  changing  the 
set  of  values  that  a  state  component  can  take  on.  However,  the  abstract 
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state  component  values  were  functions  only  of  a  single  state  in  the 
unabstractcd  mode!.  In  this  section,  v.'e  consider  a  more  general  form 
of  abstraction,  which  we  call  abstraction  via  observers.  This  type  of 
abstraction  makes  it  possible  to  have  abstract  state  components  that 
depend  on  the  history  of  the  computation. 


Example  4.9  Consider  a  functional  unit  that  receives  some  inputs, 
computes  for  some  number  of  steps,  and  then  gives  an  output.  In 
a  hardware  implementation  of  such  a  device,  pipelining  is  often  used 
in  order  to  increase  throughput.  A  pipelined  implementation  might 
receive  one  set  of  inputs  during  each  clock  cycle  and  (after  a  suitable 
startup  latency)  give  one  output  per  cycle.  That  is,  the  behavior  of  the 
implementation  over  time  is  as  follows: 


Time  1 

2 

4 

5 

6 

compute 

compute 

output 

input 

compute 

output 

input 

compute 

compute 

output 

Suppose  that  we  want  to  relate  this  to  a  specification  that  is  given 
purely  in  terms  of  input/output  behavior.  That  is,  the  timing  of  the 
specification  is  as  follows: 


Times  1  to  .‘1  4 


6 


start  up 


input/output 


iuput/output 


input/output 


Clearly,  some  method  is  needed  for  relating  the  timing  of  the  imple¬ 
mentation  with  that  of  the  specification.  This  will  be  done  via  an 
observer  process.  An  observer  is  a  process  that  watches,  but  does  not 
affect,  some  of  the  state  components  of  the  implementation.  It  has  as 
outputs  some  of  the  state  components  of  the  specification.  The  com¬ 
position  of  the  observer  with  the  implementation  gives  a  specification- 
level  view  of  the  actions  of  the  implementation.  We  will  then  compare 
this  combined  implementation/observer  with  the  specification.  Con¬ 
versely,  the  specification  may  be  combined  with  the  olxscrver  to  give  an 
implementation-level  view  of  the  actions  allowed  by  the  spc-cification. 
The  observer  process  may  have  internal  state  that  it  uses  to  track  what 
it  has  seen. 


4.4.  ABSTRACTION  VIA  OBSERVERS 


151 


Let  us  make  our  example  a  bit  more  precise.  Suppose  that  the 
functional  unit  reads  a  16  bit  input  x  and  outputs  a  16  bit  result  y.  We 
will  construct  an  observer  process  that  watches  x  and  y  and  produces 
as  outputs  X  and  y  that  correspond  to  the  abstract- level  I/O  behavior. 
The  observer  must  synchronize  an  input  on  x  with  the  corresponding 
y  output,  and  so  it  will  store  successive  x  inputs  internally  and  only 
output  them  after  a  suitable  delay.  In  contrast,  it  will  pass  y  values  to 
the  abstract  level  immediately.  The  effect  will  be  that  at  the  abstract 
level,  an  x  value  and  its  corresponding  y  will  appear  simultaneously 
at  the  outputs  of  the  observer.  The  actual  observer  process  for  this 
example  is  given  by  the  program  of  figure  4.10.  In  the  figure,  the  line 

mealyoutput  y_hat[16]  :■  y; 

is  used  to  introduce  a  Mealy-type  output  (one  that  may  depend  on 
both  inputs  and  internal  state).  In  this  case,  the  Mealy  output  y.hat 
is  defined  to  be  invariantly  equal  to  the  expression  y,  i.e.,  y  is  always 
equal  to  the  input  y.  □ 


1  input  x[16] ; 

2  internal  x.internal.l [16]  ; 

3  internal  x_intemal_2[l6]  ; 

4  output  x_hat[l6]; 

5  input  y[16]; 

6  mealyoutput  y_hat[l6]  :=  y; 

7  loop 

iS  x_hat  ;=  x_internal_2 ; 

9  x_internal_2  :=  x_internal_l ; 

10  x_internal_l  :=  x; 

1 1  wait 

12  endloop 


Figure  4.10:  Observer  process  for  example  4.9 


In  the  example,  we  mentioned  that  an  observer  should  not  affect  the 
concrete  level  state  components.  To  see  why  this  is  the  case,  suppose 
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that  in  the  example  above,  the  observer  blocks  any  attempt  to  give 
the  implementation  the  input  x  =  12.  Because  of  this,  it  will  never 
output  the  value  x  =  12.  Now  assume  that  our  implementation  works 
correctly  for  all  values  except  x  =  12,  but  for  x  =  12,  it  produces 
1/  =  33  instead  of  the  correct  y  =  44.  Then  when  we  run  our  observer 
in  parallel  with  the  implementation,  all  of  the  pairs  (x,  y)  that  are 
observed  at  the  abstract  level  are  in  fact  correct.  Hence,  the  (correct) 
abstract  specification  will  be  able  to  simulate  this  behavior,  and  we 
might  erroneously  conclude  that  the  implementation  is  right.  A  similar 
problem  can  arise  if  the  observer  refuses  to  accept  certain  y  values;  in 
this  case,  the  observer  may  suppress  what  would  be  an  incorrect  output 
by  the  implementation.  We  conclude  that  the  observer  must  always  be 
able  to  accept  anything  that  might  occur  at  the  implementation  level. 
(In  the  terminology  of  Dill,  an  observer  must  be  receptive;  the  notion 
that  we  will  use  here  corresponds  to  receptiveness  in  prefix-closed  trace 
structures  [43].)  We  now  give  the  forma!  definition  of  an  observer. 

Definition  4.8  An  observer  over  a  set  of  state  components  A'  is  a 
structure  M  with  the  following  properties: 

1.  The  observer  must  be  able  to  accept  any  initial  value  for  the  state 
components  in  A' .  Formally,  for  every  labeling  function  /  over  .4', 
there  exists  s  ^  I  such  that  /  =  L[s)  |  A' . 

2.  The  observer  must  be  able  to  accept  any  chaiige  in  the  state 
components  in  A'\  for  every  labeling  function  /  over  A'  and  every 
state  S(j  €  S,  there  exists  Si  such  that  /  =  L(s|) J. .4'  and  R(so,S}). 

3.  In  order  to  avoid  having  the  acceptance  condition  rule  out  some 
infinite  sequences  of  concrete-level  behaviors,  we  also  require  F  = 
0.  (The  structure  being  abstracted  may  have  acceptance  condi¬ 
tions,  but  the  observer  may  not;  this  is  again  a  receptiveness 
issue.) 

Now  suppose  that  we  are  given  a  set  of  observers.  To  get  the 
abstract-level  view  of  A/,  we  would  like  to  just  run  the  observers  in 
parallel  with  A/.  However,  there  is  still  one  other  way  that  incorrect 
behavior  by  M  can  be  suppressed.  Suppose  that  we  have  two  observers 
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that,  both  output  the  same  abstract-level  state  component  x.  If  one 
wants  to  set  x  =  12  and  the  other  wants  to  set  i  =  13,  then  the  net 
effect  is  that  they  deadlock,  and  whatever  implementation-level  behav¬ 
ior  lead  up  to  this  situation  is  effectively  disallowed.  This  is  again 
unacceptable,  but  we  can  avoid  the  problem  by  simply  requiring  that 
different  observers  do  not  both  try  to  output  the  same  abstract-level 
component.  Note,  however,  that  it  is  legal  for  multiple  observers  to 
watch  the  same  component.  With  this  restriction,  we  can  now  abstract 
the  implementation  by  just  composing  with  our  observers  and  hiding 
the  concrete  state  components. 

Definition  4.9  Let  A  =  {uq,  •  •  •  ,an-i },  =  (o^, . . . ,  },  and  sup¬ 

pose  that  O  =  { A/o, . . . ,  A/m_i }  is  a  set  of  observers  over  A  with 
Ai  C  A  U  A.  Also  assume  that  for  every  pair  M,,  Mj  of  observers 
with  i  ^  j ,  AiC  AjD  A  =  (no  two  observers  output  the  same  abstract 
state  component).  Let  A/'  =  Mq  (|  . . .  |(  Af^-i-  If  A/  is  a  structure  over 
A,  then  we  define  obsu(Af )  (with  respect  to  O)  to  be  (A/  ||  A/')  [  A. 

The  map  obs„  takes  us  from  the  concrete  level  to  the  abstract  level. 
We  want  to  produce  a  conservative  connection,  and  at  the  moment  we 
have  the  situation  shown  in  figure  4.11.  Assume  that  we  are  given  A/; 
what  implementation-level  behavior  should  this  represent? 

(M\\M')iA -  ^  -  Xi 


Figure  4.1 1;  Situation  after  defining  ob.s,, 

To  answer  this  question,  let  us  think  about  the  composition  A/'  of 
all  of  the  observers  in  O.  We  can  view  this  compasition  as  telling  us 
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all  of  the  abstract  behaviors  that  would  be  observable  if  the  imple¬ 
mentation  was  completely  nondeterministic  aiid  could  do  anything  at 
any  step.  Now  M  will  generally  not  be  consistent  with  all  of  these  ab¬ 
stract  behaviors.  We  can  prune  away  the  incompatible  ones  by  simply 
composing  A/'  with  M .  The  result  of  this  composition  involves  both 
concrete-  and  abstract-level  state  components,  so  we  then  eliminate  the 
abstract  components  by  restricting  to  .4.  This  process  of  composition 
and  restriction  is  the  desired  map  ob.s/. 

Definition  4.10  Let  /I,  A,  etc.,  be  as  in  definition  4.9.  If  M  is  a 
structure  over  /4,  then  we  define  obsi(M)  (with  respect  to  O)  to  be 
(M\\M')IA. 

We  then  have  the  following  result,  whose  proof  is  deferred. 

Theorem  4.4  (ohsu,  ohs/)  is  a  conservative  connection. 

Example  4.10  The  type  of  abstraction  given  by  ahs^  and  absi  can 
be  expressed  using  observers.  There  would  be  one  observer  for  each 
abstraction  function  h,.  The  observer  for  hi  simply  looks  at  the  value 
of  state  component  ai  and  immediately  sets  a,  to  /i,  of  that  value.  In 
other  words,  we  would  be  using  a  set  of  ob.servers  of  the  form  shown  in 
figure  1.12.  Then  (ah.s,,,  abs/)  corresponds  directly  to  (obs„,  ob.s/ ).  □ 


1  input  a_i[l6]; 

2  mealyoutput  a_i_hat[l6]  :=  <h_i(a_i)>; 

4  loop 

4  wait 

5  endloop 


Figure  4.12:  Observer  process  corresponding  to  (absu,  ab.s;) 
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4.5  Summary 

We  have  shown  how  abstraction  can  be  used  to  simplify  the  process  of 
checking  The  basis  for  using  abstraction  is  the  notion  of  a  conser¬ 
vative  connection.  The  mappings  in  a  conservative  connection  relate 
abstract-level  and  concrete- level  structures,  and  if  ■<  holds  at  the  ab¬ 
stract  level,  we  can  infer  a  similar  relationship  at  the  concrete  level.  We 
considered  two  main  conservative  connections.  One  was  used  for  just 
for  data  abstraction.  A  more  general  one,  abstraction  via  observers, 
allows  us  to  abstract  temporal  behavior  as  well.  In  the  case  of  data  ab¬ 
straction,  we  discussed  a  method  for  directly  compiling  abstract-level 
structures  from  a  finite-state  program  and  a  user-supplied  abstraction 
mapping.  We  implemented  a  compiler  based  on  these  ideas  and  used 
it  to  verify  a  number  of  examples. 


4.6  Technical  Details 

We  begin  by  sketching  the  proof  that  collapse  is  nionotonic  and  can  be 
distributed  over  compositions. 

Proof  We  first  prove  monotonicity.  Suppose  M  ;<  M\  with  .4  =  A'. 
and  assume  without  loss  of  generality  that  every  stale  of  .\I  and  M'  is 
reachabie.  Let  M  =  collapse(  .\I )  and  A/'  =  coUapse(M').  Obviously, 
for  every  state  .s  of  A/,  then'  is  a  state  s'  of  M'  with  s  .s'.  Then 
L(s)  =  L'(.s'),  and  so  .S'  C  S'.  We  claim  that  C  defined  by  .1/,  /  C  .\I’,  f 
for  all  /  6  .S'  is  a  simulation  relation.  Obviously  relatrul  states  agree  on 
their  labelings.  Consider  a  path  fofi  ...  in  A/.  We  must  show  that  this 
same  .se<|nence  is  a  patli  in  A/'.  .Since  /?(/i,/,+i),  there  exist  .s,  ainl  .s,+  i 
in  A/  with  /,  =  L(.s,),  /,+|  =  L(s,+  i),  and  .s,+  | ).  Now  choosr*  a 

state  .s'  of  A/'  with  s,  ^  .s'.  There  must  be  a  state  .s'^,  of  .\l'  with 
■'<.+1  'Uid  /?'(.s',  s'^, ).  This  implies  /?'(/,, /,+i  )•  Th<‘  result  must 

also  satisfy  the  acceptance  conditions,  and  so  C  is  indeed  a  simulation 
relation.  If  .s  G  /,  there  must  be  .s'  £  I'  with  .s  -<  .s'.  This  implies  that 
C  relates  initial  states  in  A/  to  initial  states  in  A/'.  Hence  we  conclude 
M  ■<  A/',  i.e.,  that  collapse  is  monotonic  with  respect  tiO 
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_ Let  M"  =  M  II  M  =  coUapse(M),  M'  =  coliapse{M'),  and 

M"  =  collapse{M").  Define  the  relation  C  to  be 

e  S''). 

First,  note  that  if  (s,  s')  €  S",  then  s  and  s'  agree  on  the  labeling  for  the 
state  components  in  AC\A'.  Hence,  L{s)  and  L'{s)  ^re^n  these  same 
state  components,  and  so  (L(s),  L'(s'))  is  a  state  of  M  ||  M'.  Q  is  in  fact 
a  simulation  relation.  Clearly  ^e  states  related  by  C  have  identical 
labeling  functions.  Let  k"  =  fafif". . .  be  a  path  in  M".  By  definition 
of  collapse,  for  all  i,  there  are  states  (s,,  sj),  and  (t,,  t')  of  M"  such  that 
R"((s„s'),(t„t:)),  L"((si,s'))  =  /?,  and  This  im¬ 

plies  R(si,  t,)  and  R'{s'^,  t'-),  and  so  R{L{s,),  L{t,))  and  R'{L'{s'{),  L'{t',)). 
Further,  L{si)  and  L'{s'i)  must  agree  on  the  labeling  of  state  compo¬ 
nents  in  Af\A',  as  must  I^ti)  and  L'(t'-).  Thus,  (Z-(s,),  Z/'(s'))  and 
iL(ti),  L'(t'j))  are  states  of  M  ||  M',  and  there  is  a  transition  between 
these  states.  This  leads  to  a  path  in  M  ||  M'  whose  states  are  related 
by  □  to  the  states  on  w".  Thus,  C  is  a  simulation  relation.  Also,  each 
initial  state  of  M"  must  have  the  form  L"((s,s')),  where  is  an 

initial  state  of  M".  Now  we  find  {L[s),  L'{s'))  is  a  state  of  M  |j  A/', 
and  L{s)  and  L'{s')  are  initial  states  since  s  and  s'  must  be.  Thus,  C 
relates  initial  states  to  initial  states,  and  so  M"  ■<  M  ||  A/';  collapse 
does  indeed  dislriljute  in  the  expected  way  over  compcisition.  □ 


We  now  turn  to  theorem  4.1,  which  states  that  (absu,  abst)  is  a 
con.servative  connection. 


Proof  Let  A/  aiul  M'  be  structures  over  A  and  A  with  absu(A/)  ■<  A/', 
and  define  .\7  =  a/>.s,.(A/),  A/'  -  abs,(M').  Define  C  by  .s  C  (.s',/')  iff 
=  f  We  prove  that  C  is  a  simulation  relation. 

Obviously,  states  that  are  related  by  C  have  the  saiiu'  labeling. 
Suppose  that  tt  =  soSiS2...  is  a  path  in  A/  from  .s  =  .sq  and  that 
•s  E  (-s',/').  Notice  that  tt  is  ahso  a  |)ath  in  A/.  Since  .s  ;<  s',  there 
must  be  a  corresponding  path  tt'  =  s^.s', s'^  . .  .  from  .s'  =  .s,',  in  M'. 
Thus,  we  have  states  s(  in  A/'  such  that  s,  ■<  s'  for  all  i.  This  implies 
h{L(si))  =  L'{s\).  Now  let  /!  =  Z/{s,);  from  the  definition  of  A/',  we 
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have  that  (a',/')  is  a  state  in  A/'.  By  the  definition  of  C,  s,  C  (sj,/'). 
Hence  we  have  a  sequence 

Tt'  =  L(so))(s',,  L(5,))(4,  L{S2))  .  .  . 

in  M'.  From  the  definition  of  the  acceptance  condition  of  M\  it  is  easy 
to  see  that  this  is  in  fact  a  path,  and  since  it  corresponds  to  t,  we 
conclude  that  C  is  a  simulation  relation. 

If  s  is  an  initial  state  of  M,  then  s  is  also  an  initial  state  of  M .  Since 
M  :<  M',  there  is  a  corresponding  initial  state  s'  of  M'.  As  above,  we 
find  that  {s\  L{s))  is  an  initial  state  of  A/'.  Hence  C  relates  initial 
states  to  initial  states,  and  so  M  ■<  M'.  □ 

The  proof  that  the  approximating  semantics  ((-Ju)  produces  a  valid 
abstract- level  model  (theorem  4.2)  is  essentially  a  large  induction  on 
the  structure  of  expressions  and  statements. 

Proof  Let  M  =  [gj,  M  =  collapse(abSu(  Af )),  and  A/'  =  [pju.  We  first 
note  that  5  and  S'  are  isomorphic.  The  former  are  labeling  functions 
over  A.  The  latter  are  valuations  mapping  variables  v,  to  elements 
in  and  each  variable  Uj  has  its  associated  d<.  Further,  the  state 
labeling  functions  for  isomorphic  states  are  the  same.  In  .9,  it  is  simply 
the  state  it.self.  In  S',  it  maps  «,  to  the  value  of  e,  under  the  valuation 
that  is  the  state.  L'^t  0  be  this  isomorphism:  will  lie  the  valuati»)n 

mapping  e,  to  /(a,).  We  extend  4>  to  sots  and  relations  in  the  natural 
way.  If  we  can  d<-monstrate  that  C  H'  and  <b{l)  Q  I',  then  this 

will  obviously  be  sufficient  to  prove  -<■  Now  /  is  the  image  of  the 
set  of  labeling  functions  for  initial  states  of  A/  under  h.  Applying  <p 
transforms  these  labeling  functiotis  back  to  valuations  mapping  each 
r,  to  something  in  D~ .  Now  tin-  stat<'.s  of  A/  are  valuations  mappi?ig 
variables  to  domains  Let  (t  be  such  a  valuation;  we  write  /»(cr)  to 
denote  the  valuation  mapping  v,  to  h,{(T(v,)).  Using  this  notation,  we 
set;  0{J)  is  just  h.(I).  Similarly,  <p{  R)  ~  h{R).  Thus,  we  want  to  prov«' 
h{R)  C  R'  and  /*(/)  C  P. 

I'o  do  this,  it  is  tuKjugh  to  show  that  for  evc'rv  £0  statement  .s, 
MI-sJ)  C  [.sju.  The  proof  here  will  proceed  by  induction  on  the  structure 
of  s.  For  some  of  the  cases,  we  will  need  an  auxiliary  result  relating  the 
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value  of  an  expression  under  the  two  semantics.  Let  <t  be  a  valuation 
mapping  Vi  to  an  element  of  Da,.  Claim:  for  every  Co  expression  e, 
^([^1*^)  ^  To  see  this,  we  proceed  by  induction  on  the 

structure  of  e. 

1.  Suppose  e  is  a  variable  Vi.  Then  (e]<T  =  <T(y,),  and  h{\e\(T)  = 
hi{<r{vi)).  [e]u(/i(<T))  is  true  for  d  €  iff  {h{a)){vi)  =  d.  Now 
(A(<r))(t;j)  =  hi{<j{vi))  =  h(\e\a),  and  thus  the  result  holds  in  this 
case. 

2.  Assume  e  is  Ji{eo, . . .  h{le](T)  =  A(/,(|eoI<T, . . . ,  le„_iJo-)). 

On  the  other  hand,  [e]u(A((T))  is  true  for  d  iff 

3do...dn-i  [(Ieolu^(o-))(do)  A  •  •  •  A  ([e„_i ) 

A  P/,(do, . . .  ,d„_i,d)]. 

Let  di  =  [ei]cr,  and  take  d,  =  h{di).  By  the  induction  hypothesis, 
€  [e,lu(fi(<T))  for  all  i.  Hence  Ie,l^(<T)),  J,  € 

Recall  that  Pj,  is  given  by  P/,(do, . . . ,  d„_i ,  d)  iff 

3do. .  .d„_,d[/\  h{di)  =  dj  A  h{d)  =  d  A  /,{do, . .  .,d„_i)  =  d]. 
1=0 

Let  d  =  /,(Ieo|<T, . . . ,  [e„_i]<T),  i.e.,  //([e|i7)  =  h{d),  and  set  d  = 
h(d). 

At  this  point,  we  have  do,  ,  d„_i ,  d  with  corresponding  abstract 
values  do,  ...,  d„_i,  d.  VVe  know  /i([e]cr)  =  d.  VVe  also  know 
d,  €  [e.lu(/t(<7')).  From  the  definition  of  Pj^,  and  the  fact  that 
d  =  /(do, ... ,  d„_i ),  we  see  that  P/,  (do, . . . ,  d„_i ,  d).  Hence  d  € 
Ie|„(/j.((T)),  which  is  the  desired  result. 

VVe  now  proce<;d  to  the  inrluction  on  statements.  Recall  that  we  are 
trying  to  prove  /i(I‘<l)  Q  [-sju  for  all  statements  .s. 

1.  (Consider  an  assignment  v,  :=  c.  [s](cr,  cr')  iff  a'  —  '^■[[cjcr/e,]. 
I.'^|u(<T, rr')  iff  d  G  fcjud  and  a'  —  a-[d/v,].  To  show  /d !•'<])  Q  I.s]„. 
we  assume  [3](^,  a')  and  prove  |[s]u(/t(<7’), /<.(cr')).  Let  ir  =  /i(<t) 
and  <t'  =  hied).  Obviously  a  and  a'  can  differ  only  on  the  value. 
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for  Vi.  Set  d  =  [e\a  and  take  d  =  h{d).  Then  (A(o-'))(uj)  =  h{d)  — 
d.  We  must  show  d  G  (ej„^.  However,  [cju^  =  [e}„(/i(<r)).  By 
the  above  subresult,  d  =  h{d)  =  h{\e\a)  G  [eju(h(a)). 

2.  Suppose  s  is  the  conditional  eo  — ♦  ao  |  -  1  e„_i  — ♦  s„_j .  We  have 

[cq— ♦■So  I  •  •  •  1  e„_i— *s„_ij(<T,(T')  iff  there  exists  i  such  that  (e,J<T  = 
true  and  [sjJ(o',<r').  Also,  (co  -♦  So  I  •  •  •  I  Cn-i  — ♦  s„_ij„(?,<r')  iff 
there  exists  i  such  that  ((e,J„^)(<rae)  and  [5,]ii(5^,  <7').  Again,  we 
assume  }s](<r, </)  and  prove  [sj„(h(£r), A(eT')),  Define  B  =  h(a) 
and  <t'  =  h{(T').  By  the  induction  hypothesis,  if  (s,J(<t, a'),  then 
{si)u(5’,(T').  Thus,  we  just  need  to  know  that  if  [e.Jcr  =  true,  then 
([e»lu<7)(true).  By  the  previous  subresult,  if  evaluates  to  true, 
then  h{true)  G  Iet|u(A(<T)).  But  we  also  assumed  that  true  wais 
not  abstracted  {h{true)  =  true).  Hence  ([eiJu(A((T)))(irue),  as 
required. 

3.  For  a  sequential  or  parallel  composition,  the  result  follows  in  a 

straightforward  manner  from  the  induction  hypothesis.  □ 

Finally,  we  prove  theorem  4.4;  that  {obSu,obsi)  is  a  conservative 
connection. 

Proof  Let  M  be  a  structure  over  A,  M  =  ohsu(M),  .4/"  be  a  structure 
uver  .4,  aiul  M"  =  atul  suppose  M  -<  A/".  l)<'line  C  l>y 

■s  ^  (•s'')-'**)  ilf  L(s)  =  L"{{s",s'))  and  {s,s')  ■<  .s".  We  siiow  that  □  is  a 
simulation  relation  between  A/  and  A/". 

Obviously  states  related  by  C  have  identical  labelings.  Suppose 
•s  C  {s",s').  Let  n  =  .HoSiS-i...  be  a  path  from  s  =  so  in  M.  By  the 
definition  of  observer,  there  must  be  a  path  (.so,.Sq)(.s,,s', ) . , .  in  A/, 
where  .s'  =  .s^.  We  must  have  (.s,.s'}  ^  s",  and  .so  lln're  is  a  path  tt"  of 
the  form  .Sq.s".s".,  .  from  .s"  =  .s,"  in  M"  with  (.s,,s')  :<  .s"  for  all  i.  I'liis 
implies  that  .s'  and  .s"  have  identical  labelings  on  .4,  ami  so  (-s'', .s')  is 
a  st.Lte  of  M"  for  all  i.  Further,  L{si)  =  L"{(.s'', s'))  since  (s,, .s')  is  a 
stale  of  M .  Hence  .s,  C  {■'*(')  •'*()  for  all  i,  and  so  C  is  indeed  a  simidation 
relation. 

Now  let  s  be  an  initial  state  of  A/.  By  the  definition  of  observer, 
there  is  some  s'  G  /'  such  that  (s,s')  is  an  initial  state  of  M.  Since 
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M  ■<  A/",  there  must  be  a  corresponding  state  s"  of  M".  Now  (s",  s')  is 
an  initial  state  of  A/",  and  L"{{s",s'))  —  L{s).  This  implies  s  Q  {s",  s'), 
i.e.,  C  relates  initial  states  to  initial  states.  Hence  Af  ■<  M".  □ 

We  also  note  that  both  obs„  and  obsi  are  monotonic  and  can  be 
pushed  over  composition.  Consider,  for  example,  ofas„.  Monotonicity 
is  straightforward:  if  M*  is  the  composition  of  the  observers,  then  M\  < 
Ml  implies  M\  ||  M'  •<  Afj  ||  M',  and  restricting  both  sides  to  A  also 
preserves  •<.  When  we  push  obs„  over  composition,  we  want  to  compare 
((M,  II  A/2)  II  A/')  i  A  with  ({A/,  )|  M')  i  A)  II  ((A/2  II  A/')  i  A).  To  prove 
that  the  latter  can  simulate  the  former,  we  show  that 

{  (((•5li'S2)fS0>(('Sl»'S0»('S2fS0))  I  •*!  ^  Si,S2  €  52, 6  S'  } 


is  a  simulation  relation. 


Chapter  5 

Symbolic  Parameters 


The  dramatic  effect  of  using  BDDs  to  implement  traditional  verification 
algorithms  is  well-documented  (4,  23,  37,  48,  67,  89].  However,  they  can 
also  be  used  to  add  powerful  new  extensions  to  these  methods.  This 
additional  power  arises  because  BDDs  give  us  a  flexible  and  efficient 
facility  for  manipulating  sets  and  relations  over  finite  domains.  In  this 
chapter,  we  indicate  some  of  the  ways  that  this  facility  can  be  used. 


5.1  First-Order  Quantification 

We  extend  CTL  (definition  2.1)  to  include  first-order  quantification 
operators.  To  do  this,  we  first  allow  the  atomic  formulas  to  mention 
variables  that  range  over  data  values.  We  will  assume  that  each  variable 
is  associated  with  some  particular  domain  of  values. 

Definition  5.1  The  logic  QCTL  (“Quantified  CTL”)  over  a  set  of 
state  components  A  is  the  set  of  formulas  given  by  the  following  in¬ 
ductive  definition: 

1.  The  constant  true  is  a  formula. 

2.  For  eacli  state  component  a  in  A,  element  d  of  D„,  and  variable  .r 
ranging  over  values  in  /J„,  a  =  it,  a  =  .r,  and  .r  =  il  are  formulas. 

3.  If  ip  and  t/>  are  formulas,  then  ->9  and  9  A  .are  formulas. 
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4.  If  tp  and  ip  are  formulas,  then  AX  p,  A(v?  V  ip)  and  A{<p\J  ip)  are 
formulas. 

5.  If  is  a  formula,  then  so  is  Yx<p. 

We  use  the  usual  abbreviations;  also  3x  p  denotes  -^Yx  -'tp. 

The  semantics  of  these  formulas  over  structures  is  essentially  the 
same  as  standard  CTL,  except  parameterized  by  a  valuation  for  the 
individual  variables. 

Definition  5.2  Let  Af  be  a  structure  and  9  be  a  formula  with  A  D 
comp((p).  Satisfaction  of  p  by  a  state  s  of  M  with  respect  to  a  valuation 
a  for  the  individual  variables  \n  p  {M,s,a  [=  p)  is  defined  as  follows: 

1.  Satisfaction  for  true,  -'p^  pAip,  AXp,  etc.,  are  defined  essentially 
as  in  satisfaction  of  CTL  formulas  (definition  2.4). 

2.  M,s,<t  [=  rt  =  d  iff  Z/(s,a)  =  d.  M^s,<t  [=  a  =  x  iff  L[s,(i)  = 
<t(x).  M,s,(T  ^  X  =  d  iff  (x{x)  =  d. 

.'3.  M,s,cr  ^  Yxp  iff  for  every  d  in  the  domain  Da  associated  with  x, 
M,s,(T[d/x]  ^  p. 

M  satisfies  the  formula  p  if  for  every  initial  state  s  of  M  and  valuation 
(T  for  the  individual  variables,  M,s,a  \=  p.  (Thus,  free  variables  in  y" 
are  treated  as  being  under  the  scope  cff  a  universal  ciuantifier. ) 

At  first  glance,  mo<lcl  checking  for  QC TL  would  seem  to  be  an  in¬ 
efficient  prospect.  Whenever  we  encounter  a  subformula  V.ry,  we  may 
have  to  check  p  for  each  possible  value  of  x.  Naturally',  the  situation 
is  worse  when  quantifiers  are  nested.  Overall,  since  the  model  check¬ 
ing  problem  for  QCTL  obviously  subsumes  the  satisfiability  problem 
for  quantified  boolean  formidas  (QBF)  [58],  we  cannot  expect  an  algo¬ 
rithm  that  is  polynomial  time  in  the  size  of  our  formula.  Consider  the 
situation  in  practice  however.  A  natural  use  for  QCTL  is  to  describe 
systems  that  handle  data.  For  example,  if  we  are  verifying  a  protocol 
and  wish  to  specify  that  whatever  data  is  s<'nt  is  eventually  received, 
we  might  u.se  tlio  following  formula: 

AG  Vx (send  A  senddata  =  x  AF{rcv  A  revdata  =  x)). 
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The  implementation  probably  behaves  in  a  sinrilar  fashion  regardless 
of  what  the  data  is.  As  a  result,  once  we  have  verified  that  the  formula 
holds  for  one  particular  data  value,  we  expect  that  it  will  hold  for  all 
the  others  as  well.  If  we  could  argue  that  the  value  that  we  picked 
is  somehow  representative  of  an  arbitrary  value,  we  might  be  able  to 
avoid  having  to  check  them  explicitly.  Unfortunately,  making  this  pre¬ 
cise  is  difficult,  especially  if  the  implementation  does  have  some  data 
dependent  behavior.  Suppose,  for  example,  that  the  implementation 
computes  the  parity  of  the  data  that  is  sent.  In  this  case,  it  may  not  be 
enough  to  check  just  one  data  value,  but  we  probably  could  check  one 
data  value  with  even  parity  and  one  with  odd  parity.  Overall  we  are 
faced  with  a  dilemma;  forcing  the  user  to  decide  which  cases  to  check 
is  tedious  and  potentially  error-prone,  while  doing  the  analysis  for  each 
individual  data  value  is  potentially  time-consuming.  In  a  BDD-based 
setting,  we  have  a  chance  to  avoid  both  of  these  problems.  We  will 
be  checking  all  data  values  simulianeously.  Because  of  sharing  in  the 
BDDs,  data  values  for  which  the  implementation  behaves  similarly  are 
likely  to  be  collapsed.  In  essence,  the  BDDs  allow  us  to  do  an  automatic 
Ccise  analysis  to  exactly  the  degree  of  granularity  required  in  order  to 
ensure  soundness. 

Figure  5.1  below  gives  an  algorithm  for  model  checking  QCTL  for¬ 
mulas.  The  algorithm  is  expressed  in  terms  of  manipulation  of  relations; 
these  manipulations  can  be  translated  into  BDD  operations  in  the  stan¬ 
dard  way.  In  the  figure,  only  the  function  that  determines  the  set  of 
states  satisfying  a  particular  formula  is  shown;  the  check  to  see  that 
every  initial  state  satisfies  the  given  formula  is  straightforward.  The 
function  takes  as  parameters  the  (sub)formula  to  be  cliecked  aiul  a  list 
representing  the  variables  which  this  subformula  is  in  the  scope  of. 

Extending  the  counterexample  generation  facility  is  straightforward. 
WIkmi  producing  a  ccjunterexample  for  a  formula  ^  at  the  state  .s.  where 
the  top-level  operator  of  is  a  tcmiporal  one,  we  will  have  already  fixed 
values  for  the  variables  Xq,  ...,  .r,,-!  on  which  tlepends.  Taking  the 
relation  P{t,Xo, . . .  ,.t„_i)  that  we  obtained  when  evaluating  we  set 
the  .T,  and  obtain  a  relation  Qit)  which  is  the  set  of  statfvs  satisfying  ip 
for  those  values.  The  .c,  will  have  been  cho.sen  so  that  Qf.s)  does  not 
hold.  We  now  construct  a  counterexample  for  the  top-level  operator 
using  the  standard  methods.  To  show  a  counterexample  for  Vx  v?  at  the 
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function  c/iecA:((^,  (xq,  . . . ,  x„_i)) 
if  =  true 

let  P(s,  xq,  . . .  be  identically  true 

else  if  (^  =  (a  =  x^) 

let  P  be  such  that  P(s,xo, . . . ,  x„_i)  iff  L{s,a)  =  x, 
else  if  (^  =  (x,  =  d) 

let  P  be  such  that  P{s,xo, - x„_i)  iff  x,  =  d 

else  if  -^  =  AX  ip 

else  if  V?  =  Vxt/’ 

Q  :=  check(ip,  {x,Xoi  •  • .  ,x„_i)) 

let  P{s,xo - ,x„_i)  iir  VxQ(.s,.r..ro . 

endif 
return  P 


Figure  5.1:  Model  checking  algorithm  for  Q(,’TL 
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state  s,  we  start  with  the  relation  P{t, x^xq,  ...  ,Xn-i)  obtained  when 
evaluating  Fixing  the  Xi  gives  a  relation  Q{t,  x).  For  some  value  of  i, 
it  must  be  the  case  that  ->^(5,3:).  We  fix  x  at  such  a  value,  display  it, 
and  then  generate  a  counterexample  for  ip. 

5.2  Symbolic  Abstractions 

In  this  section,  we  demonstrate  that  the  symbolic  manipulation  facil¬ 
ities  available  with  BDDs  can  greatly  increase  the  power  of  the  data 
abstractions  considered  in  section  4.1.  To  illustrate  the  method,  we 
consider  verifying  the  trivial  program  shown  in  figure  5.2.  (This  pro¬ 
gram  is  written  in  the  same  language  used  for  most  of  the  examples  in 
chapter  4.) 

1  input  a [8] ; 

2  output  b[8]  :»  0; 

■i  loop 

4  b  :*  a; 

5  wait 

6  endloop 


Figure  5.2:  An  example  program 


We  wish  to  show  that  the  next  state  value  of  b  is  always  equal 
tu  the  i  urreiit  state  value  ul  a.  I'sing  QC'TL,  we  tiuihl  t-xprt'ss  this 
reciuirement  as 

AG  V.r  (u  =  X  — ►  AX  b  =  .c). 

Let  us  fix  a  particular  value  of  x,  say  42: 

AG(rt  =  42  — >  AX  b  =  42). 


If  we  wanted  to  verify  just  this  property,  we  could  use  the  following 
al)stra<'lion  for  a  and  b 


Jo,  if  n  =  42; 
\  1,  otherwise. 
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When  we  apply  this  abstraction  and  compile  the  program,  we  obtain 
the  transition  relation  R(a,a\b,P)  defined  by  b'  =  a.  Here,  the  primes 
denote  next-state  variables,  and  all  of  the  variables  range  over  {0, 1). 
Now  to  check  that  our  program  works  correctly  for  the  value  42,  we 
would  check  the  following  formula  at  the  abstract  level; 

AG(a  =  0  AX6  =  0). 


The  formula  would  of  course  turn  out  to  be  satisfied.  Now  we  obviously 
do  not  want  to  have  to  repeat  this  process  for  each  possible  data  value. 

Suppose  now  that  we  were  to  modify  our  abstraction  function  as 
follows: 


{0,  if  n  =  c; 

1,  otherwise. 


We  have  introduced  a  new  symbolic  parameter  that  our  abstraction 
depends  on.  Imagine  compiling  the  program  with  this  abstraction;  we 
should  get  a  relation  /?(a,a',6,6',c)  that  is  parameterized  by  c.  Fixing 
c  =  42  will  give  the  relation  R  that  we  encountered  above.  If  we 
could  run  the  model  checking  algorithm  on  our  parameterized  relation, 
we  would  obtain  a  parameterized  state  set  representing  the  states  for 
which  our  formula  is  true.  Now  our  specification 


AG(a  =  0  ^  AX/;  =  0) 


is  es.sentially  saying 

AG(«  =  c^  AX/;  =  c). 

If  the  formula  turns  out  to  be  true  for  all  values  of  c.  wv  will  liav(' 
proved 

Vj  AG(«  :=  .r  ->  AX/»  =  .r). 

which  is  ec|uivaient  to  our  original  sp«‘cilication.  The  observation  m;w 
is  that  by  intro<lucing  8  extra  HDD  variabh's  to  encode  the  |)o,ssible 
ch(;icr’.s  f(;r  r,  we  can  in  fact: 

1.  repre.sent  h,.  with  a  HDD  (the  u.s<'r  will  supply  just  //  ): 

2.  compile  with  he  to  get  a  HDD  representing  /?(«,«',  /»',  c)  (the 

compiler  handles  this  step  automatically); 
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3.  perform  the  model  checking  to  obtain  a  BDD  representing  the  pa¬ 
rameterized  state  set  (the  model  checker  does  this  automatically); 
and 

4.  if  necessary,  choose  a  specific  c  and  generate  a  counterexample 
(also  done  by  the  model  checker). 

Further  note  that,  in  this  case,  the  program  behaves  identically  regard¬ 
less  of  the  value  of  C,  so  when  we  compile  it,  the  BDD  representing  R 
will  be  independent  of  the  extra  variables  that  we  introduced.  As  a 
result,  doing  the  model  checking  will  be  no  more  complex  than  in  the 
case  when  we  were  just  verifying 

AG(a  =  42  ^  AX  6  =  42). 

In  general,  we  have  found  that  sharing  in  the  BDDs  makes  it  possible 
to  efficiently  perform  the  parameterized  abstraction,  compilation,  and 
model  checking.  We  call  abstractions  such  as  ‘‘symbolic  abstrac¬ 
tions”;  below,  we  give  some  more  complex  examples  that  make  use  of 
these  abstractions. 

Our  first  example  is  a  linear  sort  ing  array.  The  array  consists  of  one 
cell  for  each  integer  to  be  sorted;  the  program  for  an  individual  cell  is 
show  in  figure  5.3.  The  cells  are  numbered  consecutively  from  left  to 
right.  In  the  array,  each  cell’s  left  and  left.sortfd  inptils  are  connected 
to  its  left  neighbor’s  y  and  sorted  outputs,  and  each  cell’s  right  input 
is  connected  to  its  right  neighbor’.s  x  output.  The  values  to  be  sorted 
are  the  values  of  the  x  outputs.  The  sort  proceeds  in  cycU's.  During 
each  cycle,  exactly  half  the  cells  (either  all  the  o«ld  numbered  cells  or 
all  the  even  numbered  cells)  will  have  their  comparing  output  equal 
to  one.  These  cells  compare  their  own  x  output  with  that  of  their  right 
neighbor.  The  smalh-r  of  these  vabn*s  is  placed  in  //.  In  addit  ion,  if  the 
values  were  swappefl,  the  cell’s  sorted  output  is  s«'t  to  ya'to.  lJurmg  tlu' 
next  clock  period,  the  right  neighbor’s  x  atnl  sorted  values  are  co|)ied 
from  the  first  cell’s  y  and  .sorted  outputs.  When  the  rightmost  c«;irs 
sorted  output  lx.'comes  one,  the  sort  is  complete.  In  this  example,  we 
t  (<nsid(;r  an  array  for  sorting  eight  numbers.  The  eoinpnruig  output  is 
set  to  zero  or  one  depending  on  the  cell’s  position  in  the  array.  The 
left  and  right  ends  of  the  sorting  array  are  dummy  cells  for  which  x  is 
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2“*  —  1  and  0  respectively.  The  left  cell’s  sorted  output  is  also  fixed 
at  I. 

To  verify  this  program  with  symbolic  abstractions,  we  used  a  simple 
partitioning 

hcin)  = 

where  c  is  the  parameter.  If  two  numbers  are  not  equivalent  according 
to  this  abstraction,  we  can  find  the  truth  value  of  a  comparison  between 
them. 

The  properties  which  we  verified  are: 

1.  for  every  c,  eventually  the  values  of  the  i  outputs  are  such  that 
all  numbers  which  are  less  than  c  come  before  all  numbers  which 
are  greater  than  or  equal  to  c,  and  this  condition  holds  invariantly 
from  that  point  on;  and 

2.  for  every  c,  the  number  of  the  x  outputs  which  are  less  than  c  is 
invariant  except  when  elements  are  being  swappei  \ 

The  first  property  implies  that  the  array  is  eventually  sorted.  The 
second  one  implies  that  the  final  values  of  the  x  outputs  form  a  permu¬ 
tation  of  the  initial  values. 

We  performed  the  verification  by  abstracting  all  the  16  bit  variables 
in  the  program  using  the  abstraction  described  above.  The  temporal 
formulas  corresponding  to  the  two  properties  are 

AF  AG((x[7]  <  eV  x(6l  >  r)  A  ■  •  •  A  (x[l]  <  r  V  x[0]  >  e)) 

and,  for  all  j, 

=j)  -*  AG(siafj/r  (Ej=o(^[^]  <  ^)  =  j))- 

'To  make  the  formula.s  more  rea<lable,  we  have  writt(Mi  x[/]  <  e  instead 
of  .r[i]  =  0  and  x[z]  >  c  instead  of  .r[z]  =  1.  Also,  the  summation 
notation  is  used  to  denote  the  number  of  formuhis  .r[t]  <  e  which  are 
true.  Finally,  stable  is  an  atomic  proposition  which  is  true  when  every 
ccdl  is  at  the  wait  statement  on  line  28,  lir  order  to  ensure  that  the 
cells  maintain  hjckstep,  we  also  checked 


{0,  if  n  <  c; 

I,  if  Ti  >  c. 


AG  AF  stable 
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1  input  left [16]; 

2  input  leftsortedCl] ; 

3  output  sorted [1]  :*  0; 

4  output  comparing [1]  :*  <0  or  1>; 

5  output  swapCl]  :=  0; 

6  output  x[l6] ; 

7  output  y[l6]; 

8  input  right [16]; 

9  loop 

10  if  comparing  *  1 

11  swap  :=  (x  <  right); 

12  wait; 

13  if  swap  *  1 

14  y  :=  x; 

1.5  X  :®  right; 

16  sorted  :=  0 

17  else 

18  y  right 

19  endif; 

20  wait 

21  else 

22  wait ; 

23  wait; 

24  X  : =  left ; 

25  sorted  :=  leftsorted 

26  endif ; 

27  comparing  :=  'comparing; 

2s  wait 

29  endloop 


Figure  5.3:  A  sorting  cell  program 
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Verifying  these  properties  required  just  under  five  minutes  of  CPU  time 
on  a  Sun  4.  In  addition,  checking  these  properties  on  the  unabstracted 
program  was  not  feasible  due  to  space  limitations. 


5.3  Symbolic  Compositions 

For  our  last  example,  a  pipelined  arithmetic  circuit,  we  will  use  symbolic 
abstractions  together  with  an  additional  technique  called  “symbolic 
compositions”.  Suppose  that  we  have  a  system  with  a  number  of  related 
processes  Mo,  . . . ,  M„_i.  Also  suppose  that  we  wish  to  verify  a  class  of 
properties  ifo,  . . . ,  ^n-i,  where  ip,  describes  the  interaction  of  Mi  with 
the  remainder  of  the  system,  modeled  by  M.  Using  the  compositional 
reasoning  ideas  described  in  chapter  3,  we  might  try  to  check  tpi  on  just 
the  composition  M  ||  Mi.  Instead  of  doing  this  for  each  individual  i 
however,  we  may  be  able  to  use  symbolic  parameters  to  do  all  of  the 
checks  at  once.  To  see  how  this  might  be  possible,  we  consider  a  simple 
example. 

Let  Mo,  . . . ,  Mis  be  registers,  where  Mi  is  described  by  the  program 
in  figure  5.4.  Note  that  i  is  used  as  a  parameter  in  this  program.  During 
each  cycle,  one  of  the  registers  is  set  to  value  of  the  input  a.  Each 
register  will  have  a  different  output  fe[i]. 


1  input  addrC4] ; 

2  input  a [16] ; 

3  output  b[l6] 

4  loop 

')  if  addr  =  <i> 
f)  b  ;  =  a 

7  endif; 

H  wait 
f)  endloop 


Figure  5.4:  An  example  program 
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Suppose  that  we  want  to  verify  the  following  class  of  properties: 

AG  Vx  (addr  =  i  A  a  =  i  — ►  AX(6[i|  =  x)), 

where  t  ranges  from  0  to  15.  To  verify  the  property  for  i  =  7,  it  will 
obviously  be  enough  to  check 

AG  Vx  (addr  =  7  A  a  =  x  —*  AX(6[7]  =  x)) 

on  My.  Now  suppose  we  rename  6[7]  to  b  in  Mr  and  in  the  above 
property  before  doing  the  check.  This  obviously  will  not  affect  whether 
the  verification  succeeds  or  not.  Now  consider  how  we  can  do  this  for 
all  i  simultaneously.  Taking  the  program  for  Mi,  compiling  it,  and 
renaming  6[t]  to  6  can  be  done  by  just  compiling  the  program  above 
using  a  new  4  bit  symbolic  parameter  to  represent  i.  The  result  is  a 
parametric  representation  of  Mi  .  Using  that  same  symbolic  pararheter, 
we  can  express  the  class  of  properties  (after  renaming)  with  the  formula 

AGVx  (addr  =  i  A  a  =  x  —*  AX(6  =  x)). 

When  we  run  the  model  checker  now,  the  effect  is  to  check  the  spec¬ 
ification  involving  M,  using  just  Mi.  For  this  particular  example,  the 
whole  verification  can  be  done  using  about  the  same  amount  of  time 
and  space  as  would  be  required  for  checking  just  one  of  the  properties. 
.Note  that  when  doing  the  verification,  we  have  managed  to  avoid  com¬ 
posing  all  of  the  M,,  and  hence  we  never  deal  with  more  than  a  small 
part  of  the  system  state  space. 

We  now  turn  to  a  more  extensive  exanjple,  a  pipelined  arithmetic 
unit.  A  block  diagram  circuit  is  shown  in  figure  5. .5.  This  example  was 
first  described  by  Burch  et  al.  [23].  It  performs  three-address  arithmetic 
and  logical  operations  on  operands  stored  in  a  register  file.  The  pipeline 
operates  as  fiillows; 

1.  During  the  first  cycle  of  tlie  instruction,  operands  are  read  from 
the  register  file  into  the  instruction  operand  registers. 

2.  During  the  .second  cycle,  the  result  of  the  operation  is  comi)ut<'d 
and  stored  in  the  pipeline  register  aft<T  the  .ALU. 

.3.  In  the  third,  the  result  is  written  back  to  the  register  file. 
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Thus,  performing  an  operation  requires  three  cycles.  Each  instruction 
to  the  pipeline  specifies  the  source  and  destination  registers  and  the 
operation  to  perform.  In  addition,  the  pipeline  has  a  stall  input  that 
indicates  that  the  instruction  is  invalid  and  should  be  ignored.  More 
specifically,  the  instruction’s  destination  register  should  not  be  affected 
if  the  stall  input  is  true.  The  stall  signal  might,  for  example,  be  used 
to  indicate  an  instruction  cache  miss;  the  signal  would  be  asserted  until 
an  instruction  is  fetched  from  main  memory.  In  order  to  allow  results 
to  be  used  before  they  are  actually  written  into  the  register  file,  data 
can  be  fed  from  the  ALU  output  or  from  the  ALU  output  register  back 
to  the  ALU  operand  registers.  To  simplify  matters  slightly,  we  shall 
consider  a  pipeline  that  only  performs  addition  operations,  but  the 
same  techniques  can  be  used  to  verify  other  operations  as  well. 


Re«l  pofU  Write  port 


Bypass  circuitry 


Figure  5.5:  Pipeline  circuit  lilock  diagram 

The  specification  that  we  will  check  is  the  following:  for  every  pos¬ 
sible  value  of  the  source  and  destination  addres.ses,  the  value  of  the 
destination  register  in  three  cycles  will  bt*  etiual  to  the  smu  of  the  val¬ 
ues  in  the  source  registers  in  two  cycles.  I  he  use  of  the  values  in  the 
source  registers  two  cycles  hence  is  necessary  to  allow  for  the  possibility 
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that  those  registers  may  be  in  the  process  of  being  updated. 

AG{srcaddrl  =  i  A  srcaddrU  =  j  A  destaddr  =  A:  A  ~>stall 

— ♦  VaV6  AX  AX((re5{i]  =  a)  A  (re^[j]  =  6) 

AX(re5[A:]  =  a  +  b))) 

Also,  any  given  register  is  not  affected  if  either  it  is  not  the  destination 
register  or  the  current  instruction  is  stalled. 

AG{stall  V  destaddr  ^  i 

— ►  Va  AX  AX((re5[i]  =  a)  -+  AX(re(7[i]  =  a))). 


Observe  that  to  verify  one  of  these  properties,  we  should  need  only 
the  registers  involved  (re^fi],  reg{j],  and  rejiA:])  plus  the  other  parts  of 
the  pipeline.  Thus,  we  are  in  a  position  to  use  a  symbolic  composition. 
We  introduce  new  symbolic  parameters  t,  j  and  k.  We  then  compile 
three  copies  of  the  program  for  a  register,  parameterized  by  i,  j  and  k, 
with  the  reg  output  renamed  to  regi,  regj  and  regk  respectively.  Dur¬ 
ing  the  compilation  process,  we  also  want  to  abstract  the  data  values 
that  can  be  stored  in  the  registers.  For  verifying  the  addition  opera¬ 
tion,  we  will  introduce  symbolic  parameters  a  and  b,  and  then  use  the 
abstraction 


ba.b(n) 


0,  if  n  =  a; 

1,  U  n  =  h; 

2,  if  n  =  a  -I-  6; 

3,  otherwise. 


.\ovv  we  would  like  to  check 


AG{srcaddrI  =  i  A  srcaddrS  —  j  A  destaddr  =  k  A  -<stall 

— »  AX  AX((  rf(/i  =  0)  A  (rcgj  =  1) 

— »  AX.{regk  =  2))) 


AGi.stall  V  destaddr  ^  i  — ►  AX  AX({7T<7t  =  0)  — ♦  AX.{regi  =  0))). 

There  is  one  minor  problem  however:  the  map  haj,  may  not  be  well- 
defined.  Suppose,  for  example,  that  a  =  6;  then  Ao,6(«)  could  be  0  or  1. 
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Further,  if  a  =  6  =  0,  it  could  even  be  2.  We  can  resolve  this  difficulty 
in  one  of  two  ways.  The  first  is  to  do  a  by- hand  case  analysis  in  order 
to  get  a  series  of  well-defined  maps.  For  this  example,  we  could  look  at 
the  following  cases: 

1.  The  possible  abstract  values  are  a  ^  0,  0,  and  everything  else;  we 
check  that  the  system  works  correctly  when  both  operands  are  0, 
and  when  one  operand  is  0  and  the  other  is  a. 

2.  The  possible  abstract  values  are  a  ^  0,  a  -f-a,  and  everything  else. 
We  verify  that  the  pipeline  works  when  both  operands  are  a. 

3.  The  possible  values  are  a,  b,  a  +  b,  and  everything  else.  We  require 
a  ^  b,  and  for  both  a  and  6  to  be  nonzero.  Then  we  check  that 
the  system  is  correct  when  the  operands  are  a  and  6. 

It  is  easy  to  see  that  this  covers  all  possibilities,  and  in  each  case  we  can 
build  a  well-defined  abstraction  mapping.  Note  that  with  this  method, 
we  encode  a  set  of  k  abstract  values  using  nog2  A:]  bits.  These  second 
way  to  fix  the  problem  is  to  allow  the  abstract  classes  to  overlap,  and 
to  encode  the  k  possible  abstract  values  with  k  bits.  In  the  case  of  fi^.b 
above,  we  would  use  three  bits,  for  a,  6  and  a  +  b,  and  have 

0,  ifny^aAn^6An^a-|-6; 

1 ,  \{  n  =  a  A  n  ^  b  A  n  ^  a  +  l)\ 

2,  if  n  ^  a  A  n  =  h  A  n  ^  a  b\ 

3,  \[  n  =  a  A  Ji  =  h  A  n  ^  a  A  b\ 

4,  \I  n  ^  a  A  71  ^  b  A  n  =  a  +  b\ 

5,  'll  n  =  a  A  n  b  A  n  =  a  +  b; 

6,  \I  n  a  A  11  =  b  A  71  =  a  +  b\ 

7,  if  n  =  o  A  71  =  b  A  n  =  a  +  b. 

Then,  to  say  that  ixifi  has  the  value  a,  we  would  write 

rtgi  e  {1,3, .'3,7}. 

We  used  the  s<‘(  uiul  method  for  this  <'.xam|)le. 

The  largest  pipeline  example  we  tried  had  64  registers  in  the  register 
file  and  each  register  was  64  bits  wide.  This  circuit  has  more  than  4,000 


5.3.  SYMBOLIC  COMPOSITIONS  175 

state  bits  and  nearly  10***°  reachable  states.  The  verification  required 
less  than  25  minutes  of  CPU  time  on  a  Sun  3/60.  The  verification  time 
scales  polylogarithmically  in  the  number  of  registers  and  linearly  in  the 
width  of  registers.  Burch,  Clarke,  and  Long  [22]  verified  essentially 
the  same  circuit  using  no  abstraftion.  With  8  registers,  each  32  bits 
wide,  they  required  4  hours  and  20  minutes  of  CPU  time  on  a  Sun  4 
to  complete  the  verification.  In  addition,  their  verification  times  were 
growing  cubicly  with  the  number  of  registers  and  quadratically  with 
the  register  width. 
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Chapter  6 

Verification  of  the 
Futurebus+  Cache 
Coherence  Protocol 


In  this  chapter,  we  apply  some  of  the  ideas  from  chapters  2  through  5  to 
the  verification  of  the  cache  coherence  protocol  described  in  the  IEEE 
Futurebus+  standard.  Our  goal  is  to  demonstrate  that  the  methods  can 
be  used  to  verify  designs  of  realistic  complexity.  The  work  described 
below  is  an  extension  of  work  that  we  reported  earlier  [29]. 


6.1  Overview  of  the  Protocol 

Futurebus-h  is  an  emerging  bus  standard  for  high-performance  multi¬ 
processors.  The  goal  of  the  committee  that  developed  Futurebus-f  was 
to  create  a  public  standard  for  bus  protocols  that  was  unconstrained 
by  the  characteristics  of  any  particular  processor  or  device  technology 
and  that  would  be  wi<lely  accepted  and  implemented  Ijy  vendors.  It 
has  been  adopted  by  the  Navy’s  next-generation  computer  resource's 
program  as  its  standard  linear  backplane,  and  companies  such  as  DEC, 
Sun,  Motorola  and  Force  Computers  are  developing  Futurebus-|-  prod¬ 
ucts.  The  Futurebus-I-  specification  is  actually  a  number  of  standards, 
covering  issues  from  physical  interconnection  through  high-level  proto¬ 
cols.  We  will  be  concerned  with  the  IEEE  Standard  for  Futurebus-h — 
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Logical  Protocol  Specification  (IEEE  Standard  896.1-1991)  [59].  Part 
of  this  standard  is  a  cache  coherence  protocol  designed  to  insure  con¬ 
sistency  of  data  in  systems  composed  of  many  processors  and  caches 
interconnected  by  multiple  bus  segments.  (For  an  overview  of  a  number 
of  cache  coherence  protocols,  see  the  article  by  Archibald  and  Baer  [3].) 

Consider  a  multiprocessor  system  such  as  the  one  shown  in  fig¬ 
ure  6.1.  Each  of  the  processors  PI,  P2,  and  P3  has  access  to  a  central 
shared  memory,  M.  P3  is  on  the  same  bus  as  M,  so  read  and  write 
requests  from  P3  can  be  delivered  to  M  directly.  In  contrast,  requests 
from  Pi  and  P2  must  pass  through  a  communications  network  before 
reaching  M.  (There  may  actually  be  many  processors  and  memories 
scattered  throughout  the  system,  but  each  memory  location  must  be¬ 
long  to  a  single  home  memory.  Also,  all  of  processors  t  hat  can  access 
the  memory  location  must  form  a  tree  rooted  at  the  memory.)  There 
are  two  main  problems  that  arise  in  accessing  memory. 

1.  When  there  are  many  processors  contending  for  access  to  M,  the 
bandwidth  required  to  ensure  adequate  performance  can  be  very 
high. 

2.  The  latency  of  servicing  requests  that  must  pass  through  the  net¬ 
work  can  be  very  long. 

In  order  to  alleviate  these  problems,  each  processor  is  equipped  with  a 
cache.  A  cache  can  hold  copies  of  sonu*  of  the  memory  locations  in  M. 
When  a  proce.s.sor  wants  to  read  or  write,  it  can  often  obtain  the  data 
from  its  cache,  or  store  it  in  the  cache.  This  is  a  fast  operation,  and  l)e- 
cause  programs  exhibit  locality  of  reference,  a  piece  of  data  is  typically 
moved  into  a  cache  once  and  then  accessed  a  number  of  times.  However, 
while  caching  is  effective  for  reducing  latency  and  bandwidth  require¬ 
ments,  it  can  destroy  the  original  shart'd  memory  semantics  of  accesses. 
Suppose,  for  example,  PI  obtains  a  copy  of  some  memory  location  in 
its  cache  and  then  writes  to  that  location.  If  P3  now  wants  to  reail  the 
same  location,  it  must  .somehow  know  that  the  data  is  stored  in  Pi’s 
cache,  and  that  the  copy  in  memory  is  out  of  dat«;.  Maintaining  shared 
iiK'inory  semantics  is  the  purpos<‘  (jf  the  caclu'  colx're'iux'  protocijl. 

In  the  Futurebus-I-  protocol,  .sequences  of  consecutive  memory  hx  a- 
tions  are  grouped  together  into  cache  lines.  Each  cache  line  is  treated  as 
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a  unit  for  coherence  purposes.  Under  the  protocol,  coherence  is  main¬ 
tained  on  individual  buses  by  having  the  individual  processors  snoop, 
or  observe,  all  bus  transactions.  As  an  example,  consider  figure  6.1 
again.  Suppose  that  Pi  obtains  a  copy  of  a  cache  line  and  writes  to 
one  of  the  locations  in  the  line.  Then  P2  tries  to  read  a  location  in 
the  same  line  by  putting  a  read  request  on  the  bus.  PI  will  snoop 
the  read  request  and  will  intervene  to  supply  the  data  directly  to  P2. 
Coherence  across  buses  is  maintained  using  special  cache  agents  and 
memory  agents  (CA  and  MA  in  the  figure).  The  CA/MA  pair  is  col¬ 
lectively  called  a  bus  bridge.  The  cache  agent  is  responsible  for  issuing 
commands  on  bus  1  on  behalf  of  the  remote  processors  Pi  and  P2.  Sim¬ 
ilarly,  the  memory  agent  is  responsible  for  representing  the  memory  M 
on  bus  2.  If  PI  issues  a  read  on  bus  2,  then  MA  will  pass  the  request 
down  to  the  cache  agent  CA,  and  CA  will  reissue  the  read  on  bus  1. 
Next,  the  memory  supplies  the  data  to  CA,  and  CA  passes  it  back 
to  MA,  which  in  turn  forwards  it  to  PI.  Obviously,  a  sequence  such  as 
this  can  tie  up  the  buses  for  quite  a  while.  Thus,  in  order  to  increase 
performance,  the  protocol  uses  split  transactions.  When  a  transaction 
is  split,  it  is  divided  up  into  separate  initiation  and  completion  phases. 
In  our  example,  the  read  that  PI  issues  would  be  split  to  free  up  bus  2. 
While  the  read  request  is  propagating  towards  memory,  bus  2  can  be 
used  by  P2  to  issue  other  requests.  When  MA  finally  receives  the  data 
that  PI  requested,  it  issues  an  explicit  nsponse  transaction  to  supply 
the  data. 

There  are  two  other  performance  optimizations  used  in  th.c  protocol. 
First,  writes  are  not  propagatefl  back  to  main  memory  immediately.  In¬ 
stead.  the  data  from  the  write  is  simply  stored  in  the  cache.  Later,  when 
the  line  needs  to  be  replaced  in  the  cache,  an  explicit  copyback  is  used 
to  return  the  ui>-to-date  data  to  main  memory.  .Socoi\d,  processors  may 
obtain  data  from  other  processors’  transactituis  by  snarjing.  .Supposi- 
for  example,  that  Pi  and  P2  both  wish  to  obtain  rea»lable  ropi«-s  of 
some  cache  line.  They  arbitrate  for  the  bus,  and  h^t  us  suppo.se  that  P2 
wins  the  arbitration  and  issin-s  the  read  request.  The  memory  ag<’nt 
splits  the  transaction,  goes  olf  and  obtains  the  data,  aiul  then  issm's  a 
resp(jnse  on  luis  2.  P2  will  take  llu'  data  Irom  this  res|)onse.  l)ut  PI 
is  also  allowed  to  obtain  the  data  Jis  it  passes  on  the  bus.  When  this 
happens,  both  Pi  and  P2  end  up  with  valid  copies  of  the  line. 


6.1.  OVERVIEW  OF  THE  PROTOCOL 
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The  Futurebus-I-  protocol  falls  in  the  class  of  MESI  coherence  pro¬ 
tocols.  MESI  stands  for  “Modified-Exclusive-Shared-lnvalid”  and  rep¬ 
resents  the  possible  states  that  a  cache  line  can  be  in  within  a  given 
cache. 

1.  A  cache  that  has  no  information  about  a  particular  cache  line 
is  in  the  invalid  state  for  that  line.  Obviously,  neither  read  nor 
write  access  is  allowed  to  any  of  the  memory  locations  within  the 
line. 

2.  A  cache  that  is  in  the  shared-unmodified  state  has  a  readable 
copy  of  the  cache  line,  and  other  caches  may  have  copies  as  well. 
Writing  is  not  allowed  when  the  cache  line  is  in  this  state. 

3.  A  cache  that  is  in  the  exclusive-modified  state  has  a  readable  and 
writable  copy  of  the  line.  It  is  the  only  place  in  the  system  where 
up-to-date  data  is  stored,  and  hence  must  supply  the  data  when 
someone  else  issues  a  read  request. 

4.  The  last  state,  exclusive-unmodified,  represents  a  combination  of 
the  shared- unmodified  and  exclusive-modified  states.  In  this  state, 
the  cache  has  a  copy  of  the  data  and  only  reading  is  allowed.  How¬ 
ever,  it  is  also  guaranteed  that  no  other  cache  has  a  copy  of  the 
data.  If  the  processor  whose  cache  has  the  excld.sict  -uninodijitd 
copy  decides  to  write  to  a  location  in  the  cache  line.  tlu‘  line  is  sim¬ 
ply  placed  in  the  exclusive-modified  state  and  the  write  [iroceeds. 
There  is  no  need  to  issue  any  sort  of  tran.saclion  to  eliminate 
copies  that  may  be  in  other  caches.  On  the  other  hand,  if  the 
processor  never  writes  to  the  line  and  it  is  necessary  to  purge  the 
line  from  the  cache,  then  there  is  no  need  to  copy  the  data  back 
to  main  memory. 

Next,  we  describe  the  different  types  of  bus  transactions  that  de- 
\  i<  c's  can  issue.  There  are  tw(j  basic  read  transactions:  rrnd-shared  and 
read- modi jied.  d'he  former  is  used  to  rerjuest  a  reatlable  copy  of  a  cache 
line,  while  the  latter  retpiests  lu;th  read  aiul  writ*'  access.  lh)th. types 
of  transactions  may  be  split.  In  the  case  of  a  read-shaixd  transaction, 
other  devices  are  allowed  to  snarf  that  data  ^ls  it  is  supplied  to  the 
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requester.  Note  that  the  read-modified  transaction  requires  any  copies 
of  the  cache  line  in  other  caches  to  be  eliminated.  Because  of  this, 
read-modified  transactions  can  be  split  for  two  distinct  reasons: 

1.  the  supplier  of  the  cache  line  may  split  the  transaction  if  it  is  not 
able  to  immediately  respond  with  the  data  {splitting  for  access); 
and 

2.  a  processor  or  cache  agent  may  split  the  transaction  if  it  currently 
has  a  copy  of  the  line  and  cannot  invalidate  that  copy  immediately 
(splitting  for  invalidation). 

Snarling  is  obviously  not  allowed  on  read-modified  transactions. 

If  a  cache  currently  has  a  shared- unmodified  copy  of  a  cache  line, 
it  may  request  write  access  by  issuing  an  invalidate  command.  This 
transaction  causes  other  caches  with  shared  copies  to  eliminate  those 
copies.  Any  of  these  caches  may  delay  the  invalidation  process  by 
splitting  the  invalidate  transaction.  Once  a  cache  has  obtained  an 
exclusive-modified  copy  of  a  cache  line,  it  is  the  sole  holder  of  the  data  in 
that  line.  As  such,  it  is  responsible  for  intervening  in  any  read  requests 
by  other  caches.  By  intervening,  it  supplies  the  data  to  someone  else, 
and  hence  transitions  out  of  the  exclusive- modified  state.  The  only 
other  way  that  it  can  exit  this  state  is  by  issuing  a  copyback  transaction 
to  return  the  data  to  main  memory.  During  a  rnpyhark,  any  cache  tlial 
would  like  to  obtain  a  copy  of  the  data  in  the  li.ne  is  alloweil  to  snarf 
it.  This  includes  the  cache  i.ssuing  the  copyback. 

There  are  also  two  basic  types  of  responses,  corresponding  to  the 
two  types  of  reads.  A  .^hared-rc.spon.st  is  used  to  supply  data  to  a  cache 
whose  earlier  read-shared  was  split.  Other  devices  may  snarf  data  from 
the  .'iharcd-rcsponsc .  A  modijicd-ir.sponsc  is  used  to  grant  read-write 
access,  and  as  siicli  it  is  is.sue<l  in  res|)ons<‘  to  split  rcnd-ioodijii  d  an<i 
invalidate  transactions.  Rt-call  that  a  if ad-inodijicd  can  be  split  ei- 
llier  for  acce.ss  or  for  invalidation.  Because  of  this,  there  ar*'  actu¬ 
ally  two  forms  of  modi fied-rc spouse:  t)ne  supplying  data,  and  on<’  that 
is  used  only  as  an  acknowledgment  of  invalitlation  (an  addrc.s.s-only 
inodijird-responsc).  Note  also  that  a  single  invalidate  may  lx-  s[)Iit  by 
multiple  devices.  Hence  there  must  be  some  way  to  tell  when  all  of  them 
have  finished  invalidating.  This  is  done  by  allowing  modified- response 
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transactions  to  be  split.  Suppose,  for  example,  that  P 1  and  P2  are  both 
invalidating.  PI  finishes  and  issues  a  modified-response.  P2,  which  is 
still  invalidating,  cannot  let  this  response  pass,  so  it  splits.  Later, 
when  P2  finishes  invalMaling,  it  issues  a  second  modified-response . 
Since  P2  is  the  l«ist  devic  *  done,  this  response  is  not  split.  The  cache 
that  issued  the  original  invalidate  proceeds  when  it  sees  this  unsplit 
modified-response.  Similarly,  read-modified  transactions  may  be  split  by 
multiple  devices,  and  as  with  invalidate,  an  unsplit  modified-response 
signals  the  requesting  device  that  it  may  proceed. 

Devices  communicate  their  requests  to  split  transactions,  snarf  data, 
or  intervene  using  three  bus  lines  called  SR,  TF,  and  IV .  These  are 
wire-or  signals;  effectively,  each  device  i  has  outputs  sr„  tf ,,  and  iv,, 
and  SR  =  V,  sr,,  etc.  (Thus,  if  any  device  requests  that  a  transaction 
be  split,  it  will  be  split.)  A  device  cisserts  sr,  to  request  that  the  current 
transaction  be  split.  It  raises  tf,  when  it  wants  to  snarf  data  from  the 
current  transaction.  Finally,  if  it  observes  a  read  re(|uest.  and  it  has 
an  exclusive- modified  copy  of  the  requested  cache  line,  it  asserts  iv,  to 
indicate  that  it  will  supply  the  data  for  the  read. 

Example  6.1  VVe  consider  a  sequence  of  transactions  dealing  with 
some  fixed  cache  line  for  the  system  shown  ir  figure  6.1.  Initially, 
all  caches  have  invalid  copies  of  the  cache  line.  If  PI  wants  a  readalde 
C(jpy  of  the  cache  line,  it  issiu's  a  read-shaird  on  i>us  2.  The  memory 
agent  .\1A  cannot  supply  the  ref|uested  data  imnu'iliattdy,  .so  it  asserts 
its  .ST  output  to  split  the  transaction.  It  passes  the  re(|uest  to  CA,  which 
issues  the  nad-.diavi d  on  liiis  1.  Tlie  imunory  supj)ru‘s  the  data  to  the 
cache  agent,  and  during  the  transfc'r,  P3  asserts  its  //  output  and  siiarfs 
the  data.  P3  now  has  a  shared- unmodified  copy  of  the  cache  line.  The 
data  is  passed  back  to  .VIA.  and  MA  issues  a  .•ihnrrd-rrspon.'ie  to  provide 
the  data  to  Pi.  P2  snarls  the  data  Ity  assert in.ii  If  diiiiiii*,  the  response, 
and  both  PI  and  P2  wind  up  with  .dinred-itnniodiju  d  copies.  PI  now 
lecpiests  write  access  by  issuing  an  invalidale  transaction.  P2  asserts 
sr  ro  split  the  transaction  for  invali<lation.  iis  does  .M.A.  P2  finishes  in¬ 
validating  and  issues  a  modijii  d-reHpon.'n  .  Since  P-’l  is  not  yet  invalid, 
the  iiH-mory  agent  must  split  this  inodijiid-re.spon.'-e.  1  he  request,  lor 
invalidation  propagates  to  CA,  which  i.s.sues  invalidate  on  bus  1.  P3 
invalidates  immediately,  and  CA  informs  MA  of  this.  The  memory 
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agent  issues  a  modified-response  which  is  not  split,  and  Pi  transitions 
to  the  exclusive-modified  state.  P2  now  requests  read  and  write  access 
by  issuing  a  read-modified.  Pi  intervenes  by  asserting  its  iv  output 
and  supplies  the  data  to  P2.  PI  transitions  to  the  invalid  state,  while 
P2  becomes  exclusive-modified.  P2  decides  to  kick  the  line  out  of  its 
cache,  so  it  issues  a  copyhack  to  return  the  data  to  memory.  The  mem¬ 
ory  agent  MA  picks  up  the  data  as  P2  goes  to  invalid.  The  data  is 
passed  to  CA,  which  issues  the  copyback  on  bus  1.  P3  now  requests 
read  access  and  issues  a  read-shared.  If  CA  does  not  snarf  the  data 
by  asserting  tf,  then  P3  transitions  to  the  exclusive-unmodified  state. 
Later,  if  P3  decides  to  write,  it  goes  immediately  to  exclusive-modified . 
updates  the  line,  and  then  issues  a  copyback  to  return  the  data  to  M. 
□ 

Split  transactions  are  controlled  using  requester  and  responder  at¬ 
tributes.  When  a  device  issues  a  request  that  is  split,  it  acquires  a 
requester  attribute  that  indicates  the  type  of  response  it  expects  to 
receive.  The  device  that  splits  the  request  gets  a  responder  attribute 
that  tells  what  type  of  response  it  will  eventually  issue.  The  possible 
requester  attributes  are  as  follows: 

1 .  A  cache  has  the  requester-shared  attribute  when  it  is  waiting  for 
a  .‘^hand-rc.spmi.st . 

2.  The  requisler-txclusive  attribute  is  true  when  a  device  is  waiting 
for  a  modified-re.sponse. 

3.  The  final  attribute,  rTque.<ttrr-u'aHi»(j .  will  be  di.srus.sed  below. 
The  responder  attributes  are  similar: 

1.  ;\  device  has  the  if  spondt  r-shnn  tl  altriluit.e  when  it  must  even¬ 
tually  i.ssiie  a  .shand-ri.'^pon.st. 

2.  The  trspondf  r-ixcln.sivr  attribuU'  is  use<i  to  indicate  that  tin* 
cache  must  eventually  is.su«‘  a  modijUd-n  .'ipon.‘<t  su|)i)ly  data. 

3.  W  h<Mi  a  processor  has  the  n  '^pondi  r-niralid<ili  attribute,  it  must 
issue  an  address-only  modijird-ir.sponsf  to  signal  the  completion 
of  invalidation. 
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Each  cache  line  has  separate  requester  and  responder  attributes. 

Under  the  protocol,  there  may  be  only  one  pending  transaction  per 
cache  line  per  bus  in  the  system.  Hence,  when  a  transaction  is  split, 
there  must  be  a  way  of  preventing  other  transactions  for  the  same  cache 
line  from  proceeding.  This  is  done  using  another  bus  line,  WT.  WT  is 
also  a  wire-or  signal,  so  any  device  may  drive  WT  high  by  setting  its 
individual  wt  output.  If  a  module  has  any  of  the  responder  attributes 
discussed  above,  then  it  is  already  processing  one  transaction  for  the 
same  cache  line.  When  it  observes  another  transaction  for  the  cache 
line,  it  asserts  wt  to  abort  this  new  request.  A  device  that  tries  to 
issue  a  transaction  and  observes  WT  acquires  the  requester-waiting 
attribute.  It  keeps  this  attribute  until  it  sees  a  shared-response  or  an 
unsplit  modified-response  for  the  same  cache  line.  At  that  point,  it  may 
retry  its  original  request. 

There  is  one  slight  exception  to  the  rule  of  one  pending  transaction 
per  cache  line  per  bus.  Consider  the  system  of  figure  6.1,  and  sup¬ 
pose  that  PI  and  P3  both  have  shared-unmodified  copies  of  some  cache 
line.  Now  assume  that  both  processors  decide  to  write  to  the  cache 
line  at  roughly  the  same  time  and  both  issue  invalidate  transactions. 
The  cache  agent  CA  must  split  the  invalidate  on  bus  I  since  PI  has 
a  copy  of  the  cache  line.  Similarly,  MA  has  to  split  Pi’s  invalidate. 
At  this  point,  we  have  a  conflict:  PI  is  trying  to  invalidate  P3  and  P3 
is  trying  to  invalidate  Pi.  In  the  protocol,  this  inviUidatf -invalidate 
collision  is  re.solved  by  allowing  an  invalidate  to  be  issued  underneath 
an  already  pending  invalidate .  First  priority  is  given  to  the  invalidate 
that  is  proceeding  away  from  main  memory.  Thus.  MA  will  issue  an 
invalidate  to  eliminate  the  data  in  Pi’s  cache.  After  that.  (’.A  issues  an 
address-only  modified-response  to  give  P3  exclusive  access.  Then  the 
cache  agent  uses  a  read-modified  to  get  the  updateci  data  from  P3,  and 
the  data  is  pa.s.se<l  to  .MA.  .M.X  issues  a  modified-n sponse  to  giv»*  an 
esrlusive-modijied  co[)y  of  the  cache  line  to  PI. 

The  IEEE  .Standard  for  I'uturebus-| — Logical  Protocol  Specilica- 
liuti  [5!)]  contains  tw(i  .s<'ction.s  dealing  with  the  cache  cohenun'e  [iroto- 
c(d.  The  lirst,  a  description  .section,  is  writUm  in  English  and  (H)ntaius 
an  informal  and  nvidalde  overview  of  how  tin*  pnitocol  o|)erat«'s.  but  it 
does  not  cover  all  scenarios.  The  second,  a  specification  section,  is  in¬ 
tended  to  be  the  real  standard.  This  section  is  written  using  attributes. 
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An  attribute  is  essentially  a  boolean  variable  together  with  some  rules 
for  setting  and  clearing  it.  The  attributes  are  more  precise,  but  they 
are  difficult  to  read.  The  behavior  of  an  individual  cache  or  memory  is 
given  in  terms  of  roughly  300  attributes,  of  which  about  45  deal  specif¬ 
ically  with  cache  coherence.  (These  45  attributes  reference  many  of  the 
other  attributes  as  well.)  As  an  example,  the  following  attribute  for 
cache  modules  tells  when  the  cache  has  a  shared-unmodified  copy  of  a 
particular  cache  line: 

SHARED-UNMODIFIED.  A  CACHE  or 
CACHE.AGENT  shall  set  SHARED.UNMODIFIED  and 
clear  INVALID  V  EXCLUSIVE.UNMODIFIED  V 
EXCLUSIVE.MODIFIED  if 

MASTER  A  {INVALIDSTATUS  A  ^ADDRESS.ONLY  A 
( REA D^HA RED  V  REA  D.MODIFIED)  V  KEEP. COP  Y  A 
{COPY. BACK  V  SHARED.RESPONSE))  V  CACHED  A 
{REQUESTER.SHARED  A  SHARED.RESPONSE  A 
INVALID.STATUS  A  ^ADDRESS.ONLY  A 
TRANSACTION.FLAG.STATUS  V  SNA  RE. DAT  A  A 
^ADDRESS.ONLY  V  REQUESTER.EXCLUSIVE  A 
MODIFIED.RESPONSE  A  -^ADDRESS.ONLY  A 
SPLIT.SATUS  V  ^INVAIID.STATUS  A  KEEP.COPY  A 
{READ.SIIARED  V  READ.INVALID)). 

A  CACHE  or  CACIIE.ACENT  may  set 
SHARED.UNMODIFIED  ami  clear 
EXCLUSIVE.UNMODIFIED  if 
EXCL  US  I VE.  UNMODIFIED . 

A  CACHE  or  CACHE.ACENT  shall  not  allow  modify 
access  to  the  data  in  a  cache  line  if 
SHARED.UNMODIFIED  sri.  A  CACHE  or 
CACIIE.ACENT  may  allow  read  access  to  the  (lata  in  a 
cache  line  if  SHARED.UNMODIFIED  is  .set. 

.Vote  that  evi-n  in  the  spc-cification  s<*ction,  .some  asp«'ct.s  of  a  nnxlule  s 
all«jwed  l)ehavior  are  descrilx**!  informally.  For  e.xample.  the  aI)ove  at¬ 
tribute  specifies  a  processor's  read-write  permissions  in  English.  Fur¬ 
ther,  the  bus  l)ridge  operation  is  not  completely  specified  in  either  sec- 
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tion.  We  are  given  only  that  externally,  cache  agents  and  memory 
agents  should  “look  like”  caches  and  memories.  There  are  some  exam¬ 
ples  of  bus  bridge  operation  and  a  description  of  the  collision  resolu¬ 
tion  mechanism,  but  the  coordination  between  cache  agent  and  memory 
agent  is  not  specified  in  detail.  A  major  part  of  our  verification  effort 
was  devoted  to  making  an  appropriate  model  of  the  bus  bridges. 


6.2  Modeling  the  Protocol 

Clearly,  verifying  a  fully  detailed  model  of  the  protocol  at  the  level 
of  the  attributes  would  not  be  practical.  Even  if  the  attributes  were 
completely  precise  and  covered  all  aspects  of  the  allowed  behavior,  the 
verification  tools  would  not  be  able  to  handle  this  model.  Further,  since 
the  attributes  are  very  difficult  to  understand,  it  would  not  be  easy  to 
make  appropriate  abstractions  to  simplify  the  verification  process.  For 
these  reasons,  we  used  the  English  language  description  as  the  basis  for 
our  model.  Situations  where  this  description  was  ambiguous  or  incom¬ 
plete  were  resolved  by  referring  to  the  attributes.  While  constructing 
the  model,  we  made  a  number  of  simplifications  and  abstractions  (listed 
below).  For  each  abstraction,  we  describe  how  it  would  be  justified  us¬ 
ing  the  techniques  discussed  previously. 

1.  The  standard  specifies  how  modules  should  respond  to  excep¬ 
tional  situations,  such  iis  detection  of  a  parity  error  tluring  a  data 
transfer.  In  our  model,  we  assumed  that  these  cases  do  not  oc¬ 
cur.  Similarly,  the  standard  describes  power-up,  reset,  and  con¬ 
figuration  protocols.  We  modeled  only  the  case  of  steady-state 
operation. 

2.  A  fairly  complex  protocol  is  used  to  arl>itrate  for  the  bus  and  issue 
a  transactiiiii.  In  our  model,  a  complete  arbitration/ transaction 
cycle  is  modeled  as  a  single  state  transition.  Cliven  an  actual  im¬ 
plementation,  we  would  use  alistraction  via  observers  to  make  this 
type  of  simplifiration.  Our  ob.server  procc.s.s(\s  would  watch  the 
low-level  handsliaking  and  output  in  one  step  the  high-levcd  indi¬ 
cation  of  which  module  was  selected  as  master  and  which  trans¬ 
action  it  issued.  This  is  similar  to  the  abstraction  of  a  pipelined 
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system  in  example  4.9. 

3.  We  modeled  only  the  transactions  involving  one  cache  line.  This 
type  of  simplihcation  can  be  justified  using  abstraction  via  ob¬ 
servers  and  symbolic  parameters.  Suppose  that  we  have  an  im¬ 
plementation  in  which  the  cache  line  under  consideration  is  the 
one  beginning  at  address  a.  We  also  assume  that  this  cache  line, 
plus  its  associated  tag  bits  and  attributes,  is  stored  at  some  lo¬ 
cation  b  in  the  cache  RAM,  where  6  depends  on  a.  We  describe 
the  relevant  part  of  the  cache  as  a  symbolic  composition.  Our  ob¬ 
server  process  then  looks  at  the  location  b  to  determine  whether 
the  cache  line  is  in  fact  in  the  cache,  and  if  so,  what  its  state  is. 
The  observer  outputs  this  state  at  the  abstract  level,  or  outputs 
invalid  if  the  line  is  not  stored  in  the  cache  at  location  b. 

4.  The  data  in  the  cache  line  is  modeled  as  a  single  bit  instead  of 
64  bytes.  We  can  use  a  symbolic  abstraction  to  perform  this 
abstraction.  The  bit  can  be  thought  of  as  representing  whether 
the  value  in  the  line  is  the  64  byte  value  c,  or  whether  it  is  some 
other  value. 

5.  Components  such  as  processors  nondeterministically  issue  reads 
and  writes  to  the  selected  cache  line.  To  justify  this  abstrac¬ 
tion,  we  simply  hide  the  internal  state  of  the  processor  using  the 
restriction  operator  and  then  apply  collapse  to  reduce  the  state 
space.  (In  fact,  the  processor  mo<lel  is  essentially  T,  stj  we  know 
it  can  simulate  whatever  the  real  procc.ssor  would  do.) 

6.  Responses  to  split  transactions  are  issued  after  arbitrary  delays. 
This  would  be  justified  in  es.sentially  the  same  way  as  the  previous 
aljstraction. 

7.  The  bus  bridge  model  is  highly  abstracted.  This  rnodc'l  is  dis¬ 
cussed  in  detail  below. 

8.  d’he  standard  s|)ecifies  some  types  of  transactions  that  are  in¬ 
tended  mainly  for  peripheral  devices  doing  I/O.  Cache  coherence 
is  generally  not  maintained  when  these  instructions  are  used,  so 
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we  assumed  that  they  would  not  be  issued  for  the  cache  line  that 
we  modeled. 

In  our  model,  all  of  the  devices  on  a  single  bus  are  composed  syn¬ 
chronously,  i.e.,  all  of  them  update  their  state  during  a  transaction  on 
that  bus.  Different  buses  are  composed  in  an  asynchronous  manner: 
during  a  step  of  the  system,  the  components  on  one  bus  execute  a 
transaction,  while  those  on  other  buses  make  idle  transitions. 

In  our  model  of  a  bus  bridge,  the  cache  agent  and  memory  agent 
share  a  small  amount  of  internal  state.  The  set  of  possible  internal 
states  represents  a  generalization  of  the  possible  states  of  a  cache  line 
in  a  processor  cache.  These  states  are  cis  follows: 

1.  When  the  bridge  is  in  the  invalid  state,  it  has  no  information 
about  the  cache  line. 

2.  In  the  local-shared  state,  the  bridge  has  an  internal  copy  of  the 
cache  line,  and  other  caches  below  (on  the  cache  agent  side  of) 
the  bridge  may  have  copies.  This  bus  bridge  state  corresponds  to 
shared-unmodified  in  a  processor  cache. 

3.  In  the  shared-valid  state,  the  bridge  has  an  internal  copy,  and 
caches  both  above  and  below  the  bridge  may  have  copies.  This 
also  corresponds  to  shared- unmodified. 

4.  The  shared-invalid  state  is  a  situation  in  which  the  bridge  does 
not  have  a  copy  of  the  line,  but  caches  both  above  and  below  the 
bridge  may.  (Note  that  while  bridges  must  maintain  cache  tags 
for  the  lines  that  are  in  remote  caches,  they  need  not  store  the 
line  itself.)  As  with  the  previous  two  states,  this  one  corresponds 
to  .shaml-uamodified  in  a  [)roces.sor  cache. 

5.  The  bridge  may  be  in  the  remote-shared- unmodijud- valid  state, 
indicating  that  the  bridge  has  a  copy  of  the  line,  and  that  caches 
above  the  bridge  may  also  have  copies.  This  corresponds  to  th<’ 
exclusive-unmodified  state?  in  a  proces.sor  ,~acln‘. 

6.  The  remote-shared-unmodified-invalid  state  is  similar  to  the  pre¬ 
vious  state,  but  the  bridge  does  not  have  a  copy. 
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7.  In  the  exclusive-unmodified  state,  the  bridge  has  an  unmodified 
copy  of  the  cache  line,  but  no  other  caches  in  the  system  may 
have  copies.  This  is  also  analogous  to  the  exclusive-unmodified 
processor  cache  state. 

8.  The  remote-exclusive-modified  state  in  the  bridge  means  that 
some  cache  above  the  bridge  has  an  exclusive-modified  copy  of 
the  line. 

9.  The  remote-shared-modified  state  is  one  where  the  bridge  has  a 
copy  of  the  line,  remote  caches  may  have  copies,  and  the  data 
is  different  than  that  stored  in  main  memory.  Like  the  previous 
state,  this  one  corresponds  to  the  exclusive-modified  state  of  a 
cache  line. 

10.  Finally,  the  exclusive-modified  bridge  state  corresponds  to  the 
exclusive-modified  processor  cache  state,  and  represents  a  situa¬ 
tion  where  the  bridge  has  the  only  valid  copy  of  the  data  in  the 
line. 

In  our  initial  model,  the  cache  agents  and  memory  agents  chose  com¬ 
mands  nondeterministically  based  only  on  the  internal  bridge  state. 
There  was  no  explicit  passing  of  coimnands  between  the  two  agents. 
Consider,  for  example,  a  configuration  like  the  one  of  figure  G.l.  Sup¬ 
pose  that  all  of  the  caches  and  bridge  are  in  the  invalid  state.  If  Pi 
issues  a  read-shared,  then  the  MA  will  examine  the  bririge  state,  find 
that  it  is  invalid,  and  deci<le  that  it  must  split  the  read  recpiest.  At  .some 
later  point,  CA  can  examine  the  bridge  state,  see  that  it  is  invalid,  and 
nondeterministically  choose  to  issue  a  read-shared  on  bus  1.  Suppose 
that  this  reatl  completes  and  that  P.'l  siiarfs  the  data:  then  tin*  bridge 
transitions  to  the  local-shared  stat<*.  Later  still,  the  memory  ag<'nt  may 
get  a  chance  to  execute.  Seeing  thai  the  bridge  is  in  the  local-shared 
state  and  that  it  owes  a  response  to  PI.  it  may  oondeterministically 
issue  a  shared- response.  If  this  happens,  then  PI  gets  '  he  data  and  the 
bridge  transitions  to  eitluT  the  .•^liaird-ralid  or  the  shun d-in rnlid  stall’. 
Note  that  with  this  model,  there  is  no  guarantee  of  progress.  The  ad¬ 
vantage  is  that  the  bridge  model  is  relatively  simple,  which  helps  make 
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the  verification  possible.  Further,  it  can  simulate  a  wide  variety  of  pos¬ 
sible  implementations.  For  example,  a  bridge  that  detected  sequential 
accesses  and  attempted  to  prefetch  cache  lines  would  be  covered  by 
this  model.  The  abstractions  used  in  constructing  the  model  can  be 
justified  using  abstraction  via  observers  plus  hiding  and  collapsing. 

The  protocol  model  was  written  in  the  hardware  description  lan¬ 
guage  used  by  SMV.  SMV  (“Symbolic  Model  Verifier”)  is  a  BDD-based 
CTL  model  checker  developed  by  McMillan  as  part  of  his  thesis  [67], 
There,  he  used  SMV  to  verify  another  hierarchical  cache  coherence 
protocol,  the  protocol  used  by  the  Encore  Gigamax  [68,  67).  Due  to 
the  size  of  the  model  (about  3000  lines  of  code),  we  will  not  give  it 
here.  However,  in  order  to  give  a  feel  for  the  language,  a  simplied  frag¬ 
ment  is  shown  in  figure  6.2.  This  fragment  deals  with  the  responder 
attribute  for  the  cache  line  being  modeled  and  the  wt  output  of  a  de¬ 
vice.  The  language  provides  module  facilities  for  structuring  designs 
(line  1).  The  VAR  declaration  (line  2)  specifies  state  components.  All 
components  have  finite  type:  in  this  case,  we  declare  a  boolean  and  a 
value  with  enumerate  type.  The  way  components  change  is  specified 
using  the  ASSIGN  declaration  (line  5).  We  can  specify  either  the  initial 
and  next  state  values  of  the  component  (line  6),  or  we  can  say  that  the 
component  is  invariantly  equal  to  some  expression  (line  24).  Compo¬ 
nents  without  cissignments  are  treated  as  inputs.  The  language  includes 
facilities  for  specifying  nondeterminisin;  by  assigning  a  s(’t  to  a  com¬ 
ponent  (line  26),  we  indicate  that  the  value  of  the  component  should 
be  chosen  from  the  elements  of  the  set.  The  model  consists  of  four 
major  modules,  representing  proce.ssor  caches,  memories,  cache  agents, 
and  memory  agents.  There  are  smaller  modules  defining  jueces  such 
as  the  buses.  Each  module  is  essentially  a  series  of  case  statements, 
one  per  component.  This  case  statement  tells  how  the  component 
changes  ba.sed  on  tlie  current  cache  line  state,  request(>r  and  respoiuh'r 
attributes,  bus  master,  command,  etc. 


6.3  Specifying  Cache  Coherence 

In  this  section,  we  discuss  the  specifications  used  in  verifying  the  proto¬ 
col.  More  exhaustive  specifications  are  possible;  for  example,  we  might 
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1  MODULE  responding-device 

2  VAR 

3  vt :  boolean; 

4  responder:  {none,  exclusive,  invalidate,  shared}; 

5  ASSIGN 

6  init (responder)  :*  none; 

7  next (responder)  :» 

8  case 

9  WT:  responder; 

10  master: 

11  case 

12  CMD*shared*response  k  responder>shared:  none; 

13  CMD*modif ied-response  k 

14  responder  in  {invalidate,  exclusive}:  none; 

15  1:  responder; 

16  esac; 

17  CMD*read-shared  4  sr:  shared; 

18  CMD«read-modif ied  4  sr:  exclusive; 

19  CMD=invalidate  4  sr:  invalidate; 

20  CMD=modif ied-response  4  !sr  4 

21  responder=invalidate :  none; 

22  1:  responder; 

23  esac ; 

24  wt  :  * 

25  case 

26  WT:  {0,  1}; 

27  ! master  4  ! (responder=none)  4 

28  ! (CMD  in  {shared-response,  modif ied-response}) :  1; 

29  1:0; 

30  esac; 


Figure  6.2:  A  small  part  of  the  program  describing  the  protocol 
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develop  specifications  of  each  individual  type  of  device  describing  how 
it  responds  to  different  transactions.  Here,  we  have  only  tried  to  de¬ 
scribe  what  cache  coherence  is,  not  how  it  is  achieved.  We  begin  with 
some  basic  safety  properties.  Each  device  model  includes  two  flags, 
bus-error  and  error  that  become  true  when  the  device  observes  an  il¬ 
legal  combination  of  bus  signals  or  an  unexpected  transaction.  These 
conditions  are  defined  in  the  standard.  For  example,  while  devices  may 
cissert  sr  during  an  invalidate  transaction,  they  should  never  assert  iv. 
If  a  module  observes  IV  high  during  an  invalidate,  the  bus-error  state 
component  becomes  1'.  The  error  flag  becomes  true  when  a  device  ob¬ 
serves  a  transaction  which  should  not  occur  given  its  internal  state.  For 
example,  if  a  processor  cache  has  a  shared-unmodified  copy  of  a  cache 
line,  and  a  read-shared  is  issued,  then  no  other  cache  should  intervene 
(by  asserting  iv)  in  that  transaction.  If  another  cache  does  intervene, 
then  that  cache  must  have  an  exclusive-modified  copy  of  the  line.  This 
should  not  be  the  case  since  the  first  cache  has  a  readable  copy.  Thus, 
we  have  the  following  formula  for  every  device  d  in  our  system: 

AG{-'d. bus-error  A -<d. error).  (b-l) 

Here,  d. error  indicates  the  error  state  component  in  device  d.  We  also 
require  that  if  the  processor  cache  Pi  has  an  exclusive  copy  of  the  cache 
line,  then  no  other  cache  P2  should  have  a  copy. 

AG{P I .exctu.<iive  — »  P2. state  =  invalid)  (b.2) 

Here,  PI  .exclusive  is  an  abljreviation  for 

PI. state  £  {exclu.sive-unmodifird,  excln.sive-modijied) . 

The  next  two  properties  state  that  data  must  be  consistent  within 
t  he  caches:  if  two  caches  have  readable  copies,  tlien  they  must  agree 
on  the  data.  Similarly,  if  a  cache  luis  a  copy  and  memory  is  up-to-date, 
then  the  data  in  the  cache  and  the  data  in  memory  must  b(‘  the  same. 

AG{  P I  .state  =  shared-unmodified  A  P2. stale  =  .diared- unmodified 

PI. data  =  PS.data)  (b.3) 
AG(  P I  .unmodified  A  ~>AI. memory-line-modified 

— ►  PI. data  =  M.data)  (6.4) 
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The  abbreviation  PI. unmodified  means 

Pl.state  6  {shared-unmodified ,  exclusive-unmodified} . 

The  memory-line-modified  component  of  a  memory  is  false  when  the 
data  in  memory  is  supposed  to  be  accurate. 

Our  final  safety  property  is  one  specifying  strong  sequential  con¬ 
sistency  or  strong  coherence.  This  property  states  that  caches  must 
always  read  up-to-date  data  (i.e.,  the  last  value  written). 

Va  AG(P1  .state  =  exclusive-modified  A  Pi. data  =  a 

AW{write  V  P2.unmodified  —*  P2.data  =  a))  (6.5) 

The  formula  write  is  true  whenever  one  of  the  processor  caches  is  in 
the  exclusive-modified  state,  i.e.,  when  one  of  them  can  write  the  data 
in  the  line. 

We  would  also  like  to  check  that  the  protocol  ensures  some  form  of 
progress.  However,  our  initial  model  does  not  have  this  property.  We 
can  state  an  absence-of-deadlock  property,  i.e.,  that  it  is  always  possible 
for  a  cache  to  get  readable  and  writable  copies  of  the  line. 

AG  EF  Pl.state  =  shared-unmodified  (6-6) 

AG  EF  Pl.state  =  exclusive-unmodified  (b  ~) 

AG  EF  Pl.state  =  exrlu.'<ivt  -modifu d  id.S) 

Unfortunately,  these  are  not  ACTL  properties,  and  hence  checking  that 
they  hold  for  the  model  does  not  guarantee  that  they  are  true  in  an 
actual  system.  We  can  use  them  for  debugging  p\irposes  though;  if  one 
of  these  properties  is  false,  then  we  can  examine  the  counterexample 
produced  by  the  model  checker  to  se«!  wlietlu'r  it  represents  a  real  dead¬ 
lock.  This  is  the  approach  we  originally  took.  In  sc-ction  b.b,  we  dis(  uss 
strengthening  the  model  and  verifying  strong('r  progress  properties. 


6.4  Verifying  the  Protocol 

In  verifying  that  our  model  of  the  protocol  satisfied  the  specification, 
we  used  the  following  strategy; 
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1.  Start  with  small  combinations  of  caches  and  memories,  and  work 
up  to  the  more  complex  hierarchical  configurations. 

2.  Concentrate  first  on  the  simple  safety  properties  given  by  formulas 
6.1  through  6.4.  These  properties  are  all  have  the  form  of  AGp,, 
where  pi  is  a  propositional  formula. 

The  motivation  behind  the  first  element  above  is  obvious.  Why  did 
we  start  with  the  simple  safety  properties?  The  idea  is  that  we  can 
check  all  of  these  properties  using  one  forward  search  of  the  state  space, 
checking  at  each  step  whether  the  set  of  states  reached  intersects  the 
states  satisfying  ~>pi  for  any  i.  Once  we  have  found  a  violation,  we  can 
terminate  the  search  immediately  and  trace  back  to  find  a  sequence  of 
steps  leading  to  the  error.  The  ability  to  terminate  the  search  early  was 
important  since  the  BDD  representing  the  set  of  reached  states  tended 
to  become  very  large  once  an  erroneous  transition  had  occurred.  This 
is  a  fairly  common  phenomenon  in  BDD-based  verification.  In  a  correct 
system,  there  is  often  a  nice  characterization  of  the  set  of  legal  states, 
and  this  regularity  is  captured  well  by  the  BDDs.  However,  when  the 
system  is  started  outside  of  this  set  of  .states,  it  tends  to  make  random¬ 
looking  transitions,  with  the  result  that  all  regularity  is  quickly  lost. 
By  modifying  SMV  to  perform  this  type  of  forward  search  with  early 
termination,  we  saved  a  lot  of  time  when  doing  the  initial  debugging. 
Once  we  had  a  model  that  satisfied  all  of  the  basic  safety  properties,  we 
checked  the  more  complex  formulas  (6.5  through  6.8).  When  evaluating 
the  fixed  points  for  the  subformulas  inside  the  AG,  we  restricted  the 
.searches  to  the  set  of  reachable  states.  (As  above,  tlu?  idea  was  to  avoid 
searching  in  ill-behaved  parts  of  the  state  space.) 

Even  with  the  numerous  simplifications  made  so  far,  verifying  hi¬ 
erarchical  configurations  or  configurations  with  more  than  a  few  pro- 
ces.sors  reqiiirefl  long  execution  times.  For  examph-,  the  very  simple 
example  of  a  single  bus  with  two  caches  recpiired  about  10  minutes  of 
CPU  time  on  a  .Sun  3/60  to  verify.  In  order  to  overconu*  this  problem, 
we  modified  SMV  so  that  we  could  use  hiding  and  the  ro//a/).se  mapping 
to  simplify  the  model.  We  then  designated  certain  state  components 
as  hidden,  and  the  restriction  and  collapsing  were  p<Tformed  automat¬ 
ically.  When  verifying  the  properties  discussed  in  the  previous  section, 
we  hid  all  of  the  state  components  except: 
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1.  the  requester  and  responder  attributes; 

2.  the  cache  line  state  and  contents  components;  and 

3.  the  error  detection  state  components. 

Note  that  all  of  the  properties  could  be  specified  in  terms  of  the  above 
state  components.  With  hiding  and  collapsing,  the  single-bus,  two- 
cache  example  requires  only  a  minute  of  CPU  time.  Table  6.1  shows 
the  verification  time  (in  CPU  seconds)  and  BDD  nodes  required  for 
single-bus  configurations  with  two  through  seven  caches.  The  TR  BDD 
column  shows  the  size  of  the  BDD  representing  the  transition  relation, 
and  SS  BDD  is  the  largest  state  set  BDD.  Both  transition  relation 
and  state  set  BDDs  grow  linearly  with  the  number  of  caches.  The 
verification  time  grows  roughly  quadratically.  (We  also  checked  larger 
configurations  with  up  to  three  buses  and  nine  processor  caches  using 
a  Sun  4.  The  state  set  BDDs  grow  linearly  with  the  number  of  buses. 
The  transition  relation  BDDs  could  grow  linearly  as  well,  but  actually 
grow  quadratically  due  to  the  way  SMV  represents  transition  relations. ) 


Caches 

CPU  time 

TR  BDD 

SS  BDD 

2 

60 

7231 

325 

3 

120 

21831 

715 

1 

225 

50911 

1 128 

5 

345 

79173 

1511 

6 

535 

107173 

1951 

7 

870 

135773 

2367 

Table  6.1:  Verification  times  for  single-bus  configurations 


6.5  Errors  Discovered 

Performing  the  verification  exposed  two  errors  in  the  standard.  The 
first  of  these  can  actually  occur  in  simple  single  bus  configurations, 
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which  was  somewhat  surprising.  Consider  the  system  shown  in  fig¬ 
ure  6.3.  Initially,  both  caches  are  invalid.  Processor  PI  obtains  an 


Figure  6.3:  System  exhibiting  first  error 

exclusive-unmodified  copy  of  the  cache  line.  Next,  P2  decides  to  issue 
a  read-modified,  which  PI  splits  for  invalidation.  However,  the  mem¬ 
ory  M  does  not  split  for  access,  and  it  supplies  a  copy  of  the  cache 
line  to  P‘2.  Under  these  circumstances,  the  standard  specifies  that  P2 
transitions  to  the  shared-unmodified  state.  However,  Pi  does  not  ac¬ 
quire  the  responder-invalidate  attribute.  Instead,  P‘2  is  supposed  to 
issue  a  subsequent  invalidate  to  eliminate  the  copy  of  the  line  in  Pi’s 
cache.  Further,  PI  retains  an  exclusive-unmodified  copy  of  the  line. 
This  is  obviously  a  dangerous  situation,  for  now  PI  can  transition  to 
exclusive-modified  and  write  to  the  line  before  P‘2  issues  the  invalidate: 

.\  CACHE  or  CACHE.AGENT  may  set 
EXCLUSIVE.MODIFIED  and  clear 
EXCL  US  I VE.  UNMODIFIED  i  f 
EXCL  US  I  VE.  UNMODIFIED. 

A  CACHE  or  CACHE.  AC  ENT  may  allow  read  or  modify 
access  to  the  data  in  a  cache  line  if 
EXCLUSIVE.MODIFIED  is  .set. 

Tlie  problem  can  be  fix(?d  by  recpdring  that  the  processor  ca»  lie  PI  tran¬ 
sition  to  the  shared- unmodified  state  when  it  splits  the  read-modified 
for  invalidation.  There  is  a  related  problem  when  a  read-modified  is 
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split  for  both  access  and  invalidation.  The  proposed  change  eliminates 
the  error  in  all  situations. 

The  second  error  arises  in  hierarchical  configurations  such  as  the 
one  shown  in  figure  6.4.  PI,  P2,  and  P3  all  obtain  shared-unmodified 


Bus  2 


Bus  1 


Figure  6.4;  System  exliibiting  secotui  error 

copies  of  the  cache  line.  PI  i.ssues  an  invalidate  transaction  that  P2 
and  .MA  split.  P3  issues  an  invalidaU  that  ('.A  splits.  The  bus  1. ridge 
detects  that  an  invalidate-invalidate  collision  has  occurred.  That  is, 
is  trying  to  invalidate  PI,  while  Pi  is  trying  to  invalidate  P3.  Recall 
that  in  this  situation,  the  standard  specifies  that  the  collision  should  be 
resolved  by  having  the  memory  agent  invalidate  PI.  When  the  memory 
agent  tries  to  issue  an  invalidate  for  this  purpose,  P2  s('es  that  then' 
is  already  a  transaction  in  progress  for  this  cache  line  and  asserts  the 
WT  signal  on  the  bus. 
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A  module  shall  set  WAIT.C ACHED  while 
CACHED  A  RESPONDER  A  {READJSHARED  V 
READ.MODIFIED  V  INVALIDATE  V  READJNVALID). 

MA  observes  this  and  acquires  the  requester-waiting  attribute. 

A  module  shall  set  REQUESTER.WAIT1NG  if 
MASTER  A  WAIT^TATUS  A  {READJSHARED  V 
READ.MODIFIED  V  INVALIDATE  V  READJNVALID). 

Recall  that  when  a  module  has  this  attribute,  it  will  wait  until  it  sees  a 
completed  response  transaction  before  retrying  its  command.  P2  now 
finishes  invalidating  and  issues  a  modtfied-response .  Since  P3  is  not  in 
the  invalid  state,  this  response  must  be  split  by  MA.  However,  MA  still 
maintains  the  requester-waiting  attribute. 

A  module  shall  clear  REQUESTER.WAITING  if 
CACHED  A  {SHARED.RESPONSE  V 
MODIFIED.RESPONSE  A  ^SPLITSTATUS  V 
WRITEJNVALID). 

At  this  point,  MA  will  not  retry  its  command  since  it  is  still  waiting 
for  a  completed  response.  However,  no  such  response  can  occur;  we 
have  reached  a  deadlock.  The  deadlock  can  be  avoided  by  having  MA 
clear  the  requester-waiting  attribute  when  it  observes  that  P‘2  has  fin¬ 
ished  invalidating.  (It  does  this  as  follows:  Caches  assert  TF  when 
they  split  a  modified-re spouse..  The  memory  agent  a.s.sert,s  .V/?  for  each 
rnodified-response  to  keep  PI  froni  proceeding.  When  M.A  observes  a 
modified-response  with  TF  not  asserted,  it  knows  that  all  caches  other 
than  Pi  are  invalid.  It  then  clears  requester-waiting  and  issues  its 
invalidate .) 


6.6  Verifying  Liveness 

While  the  propertic's  specifying  absence  of  d<‘adlock  (fi.fi-fi.S)  were  ii.sc'- 
ful  in  finding  errors,  as  we  noted  earlier,  they  are  not  preserveil  when  we 
move  to  a  different  level  of  abstraction.  In  this  section,  we  show  how 
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to  prove  stronger  progress  properties.  We  will  concentrate  on  show¬ 
ing  that  if  a  cache  issues  a  read-shared  transaction,  then  eventually  it 
obtains  a  readable  copy  of  the  cache  line. 

AG{P. master  A  P.cmd  =  read-shared  A  WT 

—*  AF  P.unmodified)  (6.9) 

Our  original  model  in  fact  does  not  satisfy  this  specification.  This 
is  for  the  following  reasons; 

1.  The  arbitration  model  is  unfair;  a  device  may  never  have  a  chance 
to  issue  a  command. 

2.  A  module  that  owes  a  response  to  a  split  command  may  never 
issue  the  response,  even  if  it  is  infinitely  often,  the  bus  master. 

3.  In  hierarchical  configurations,  the  selection  of  which  bus  will  next 
transition  is  unfair. 

4.  If  a  cache  agent  splits  a  comniaiul,  the  correspdonding  memory 
agent  may  never  pass  on  that  command.  (Similarly,  a  cache  agent 
may  not  pass  on  commands  split  by  the  corresponding  memory 
agent.) 

In  order  to  check  the  above  property,  we  first  had  to  strengtlieu  our 
model.  SMV  provides  a  method  for  specifying  acceptance  cunditii)ns, 
and  we  used  this  facility.  To  ensure  that  arbitration  is  fair,  we  can  just 
recjuire  that  infinitely  often,  each  device  is  ciio.sen  as  the  bus  nuuster. 
We  can  require  that  responses  eventually  be  issued  by  enforcing 

(GF  P.ma.sti  r)  — »  G¥{P.n  spoudrr  /  sliiurd 

V  P.uiasirr  /\  P.i'ind  =  shim  d-n  sitonsi  ). 

( I 'nfortunately,  SMV  only  supports  fairness  constraints  of  the  form 
A,  GF  />,.  However,  we  are  alrea<ly  re<|uiring  that  GF  P.ninsh  r,  so  we 
simplified  the  above  constraint  tt)  just 

GF{  P. responder  ^  shared  V  P.ma.  ter  A  P.cmd  =  shared-response). 
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This  is  known  as  the  method  [61].)  To  eliminate  the  last  problem, 
we  added  some  interlocks  to  the  state  of  the  bus  bridge.  When  the 
cache  agent  splits  a  read-shared,  it  eventually  sets  an  interlock  to  let 
the  memory  agent  knows  that  it  needs  a  valid  copy  of  the  line.  The 
memory  agent  sees  this  interlock  and,  if  necessary,  issues  a  read-shared 
on  its  bus  to  obtain  the  data.  It  also  splits  all  requests  that  would 
require  invalidating  the  data  while  the  interlock  is  set.  Eventually, 
the  cache  agent  gets  the  data,  issues  a  shared-response,  and  clears  the 
interlock. 

We  begin  by  considering  just  the  single  bus  case.  When  we  tried  to 
verify  property  6.9  directly,  we  found  that  the  time  and  space  required 
was  excessive.  One  reason  was  that  we  could  no  longer  hide  most  of 
the  state  components  (as  described  in  section  6.4).  This  is  because 
the  property  and  the  acceptance  conditions  depend  on  the  previously 
hidden  components.  Also,  evaluating  the  AF  operator  when  there  are 
acceptance  conditions  requires  a  nested  fixed  point  computation.  A 
large  number  of  iterations  were  needed  for  this  computation  to  con¬ 
verge.  Because  of  these  problems,  we  did  an  assume-guarantee  style 
verification.  To  begin,  consider  why  we  expect  the  property  to  be  true, 
i.e.,  what  properties  of  the  environment  of  a  cache  must  hold?  If  the 
environment  does  not  split  the  read-shared,  then  the  cache  will  obtain 
the  data  as  part  of  the  transaction.  If  the  read-shmrd  is  split,  then  the 
environment  must  eventually  issue  a  .s/jarfd-rc.spon.sf ; 

AG{  P.  master  A  P.cmd  =  read-shared  A  -•WT  A  .SR. 

—>■  AF  CMD  =  shared-response).  (6.10) 

{CMD  is  the  command  line  on  the  bus.) 

We  now  use  this  property  as  an  assumption  about  the  environment 
of  P  and  then  try  checking  the  desired  specification.  It  does  not  hold; 
tile  counterexample  produced  by  the  morlel  checker  sliows  a  situation 
in  which  the  environment  behaves  so  as  to  cause  the  P. error  state 
component  to  become  true.  As  we  have  already  verified 

AG{-<d.hus-error  A  -^d. error) 

(property  6.1),  we  make  this  an  assumption  as  well.  The  verification 
again  fails,  and  the  trace  shows  a  situation  where  the  read-shared  is  not 
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split,  but  where  the  cache  fails  to  transition  to  a  readable  state  because 
CMD  is  not  equal  to  P.cmd.  This  obviously  should  not  occur,  so  we 
add  the  following  assumption; 

AG{P.master  CMD  =  P.cmd).  (6.11) 

With  the  above  assertion,  the  property  still  may  not  hold:  if  the  en¬ 
vironment  asserts  WT  while  issuing  the  shared-response,  the  processor 
cache  does  not  change  its  state.  However,  modules  should  not  cissert 
WT  in  this  situation: 

AG{CMD  =  shared-response  — v  ->WT).  (6.12) 

Taken  together,  these  assumptions  are  strong  enough  to  imply  the  prop¬ 
erty  6.9.  At  this  point,  we  have  verified 

(6.10,6.1, 6.11, 6.12)P(6.9). 

Of  the  assumptions  that  needed  to  be  discharged,  6.10  is  the  most 
complex,  so  we  consider  it  first.  We  will  check  it  using  the  bus  model  B 
plus  some  assumptions  about  the  devices  on  the  bus.  The  natural 
cissumption  about  each  device  is: 

\G{-id. master  A  CMD  =  read-shared  A  ->  WT  A  sr 

—*  AF  CMD  =  shnrrd-r(si)oti.‘<i  ).  (6.1:{) 

This  states  that  if  a  device  splits  a  read-shared,  then  eventually  a 
.shared-ir spouse  must  occur.  Making  this  iussuinptioii  about  every  de¬ 
vice  (except  P)  and  then  checking  6.10  shows  that  6.10  ilid  not  lK)ld. 
The  error  trace  involves  P  splitting  its  own  read-shared.  This  is  clearly 
illegal,  .so  we  assume 

AG{P. master  A  P.cmd  =  read-shared  —>■  P..sr).  (6.11) 

With  this  additional  assumption,  property  6.10  is  true. 

(6.14,6.13  for  each  d)P(6.10) 

To  verify  6.13,  we  go  back  to  the  mo^lel  of  a  processor  cache.  Based 
on  our  earlier  experience,  we  assume  that  no  errors  would  be  detected 
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and  that  any  commands  the  cache  issues  will  appear  on  the  bus  (prop¬ 
erties  6.1  and  6.11).  We  also  assume  that  the  cache  will  get  to  be  bus 
master  to  issue  the  shared-response: 

AG  AF  Pi. master.  (6.15) 

With  these  assumptions,  the  model  checker  produces  an  error  trace 
that  shows  the  cache  splitting  a  read-shared  and  the  environment  sub¬ 
sequently  issuing  a  read-modified.  The  cache  raises  Pl.wt  to  hold  up 
this  read,  but  WT  does  not  go  high  on  the  bus.  At  this  point,  the  PI 
loses  the  responder-shared  attribute.  We  therefore  assume 

AGiPl.wL  ^  WT).  (6.16) 

This  is  still  not  sufficient  to  prove  6.13.  The  counterexample  has  PI 
observing  WT  on  the  bus  and  acquiring  the  requester-waiting  attribute 
before  splitting  the  read-shared  and  acquiring  responder-shared.  In 
this  case,  the  device  that  raises  WT  should  also  assert  it  during  the 
read-shared.  In  general,  PI  should  never  have  nontrivial  requester  and 
responder  attributes  at  the  same  time: 

AG{  P I  .responder  =  none  V  P 1  .requester  =  none).  (6-17) 

•Adding  this  assumption  is  sufficient: 

(6.1, 6.11, 6.1.5, 6.16,6.17)F1(6.13). 

A  similar  proof  shows  that  memory  also  satisfies  6.13  (with  sliglitly 
weaker  assumptions). 

Property  6.17  can  be  verified  using  the  method  described  in  sec¬ 
tion  6.4.  Basic  properties  such  as  6.15  and  6.16  are  checked  using  just 
the  bus  model  B  with  no  assumptions.  The  fact  that  caches  do  not 
split  their  own  read-shared  commands  (6.14)  can  be  verified  using  just 
the  processor  cache  model.  To  show  that  WT  is  not  a.sserted  during 
shared-re.sponse  transactions  (6.12),  we  show  that  for  each  device 

AG{  CM D  =  sharrd-re.spon.se  —*  ~'d.wl  ), 

and  then  used  these  properties  tts  assumptions  together  with  the  bus 
model.  At  this  point,  all  assumptions  have  been  discharged.  About 
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two  minutes  of  CPU  time  were  required  to  verify  all  of  the  assumptions 
except  6.1  and  6.17.  (The  time  required  for  these  is  given  in  table  6.1.) 

Let  us  now  consider  a  hierarchical  configuration  (figure  6.5).  Sup¬ 
pose  that  we  want  to  prove  property  6.9  for  P3.  The  key  point  is  to 
demonstrate  that  CA  always  responds  to  those  read-shared  transactions 
that  it  splits  (property  6.13).  We  expect  this  to  be  true  since: 

1.  the  system  of  interlocks  that  we  added  to  the  model  will  cause 
MA  to  issue  a  read-shared  if  needed;  and 

2.  we  should  be  able  to  prove  analog  of  property  6.9  for  read-shared 
transactions  issued  by  the  memory  agent. 


Bus  2 


Bus  1 


Figure  6.5:  Hierarchical  configuration 


To  try  to  prove  6.13  for  CA,  we  used  the  cache  agent  aiul  mem¬ 
ory  agent  models.  We  assumed  the  latter  condition  above,  plus  other 
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basic  properties  such  as  6.1  and  6.11.  Several  iterations  were  devoted 
to  getting  the  interlock  mechanism  working.  Even  after  this  however, 
the  property  was  still  found  to  be  false.  Based  on  the  error  trace,  we 
concluded  that  6.9  in  fact  does  not  hold  in  hierarchical  systems.  The 
scenario  indicated  by  the  counterexample  is  the  following  (refer  to  fig¬ 
ure  6.5).  Pi  obtains  a  exclusive-modified  copy  of  the  cache  line.  At  this 
point,  the  bridge  is  in  the  remote-exclusive-modified  state.  P3  issues 
a  read-shared  on  the  bottom  bus,  and  CA  splits  the  transaction.  An 
interlock  is  set  to  tell  the  memory  agent  to  retrieve  the  data.  P2  issues 
a  read-modified  on  the  top  bus,  and  PI  intervenes  and  splits  the  trans¬ 
action.  Next,  MA  sees  the  interlock  and  tries  to  issue  a  read-shared. 
However,  since  PI  is  already  processing  a  split  transaction  for  the  line,  it 
asserts  WT  and  MA  acquires  the  requester-waiting  attribute.  Now  PI 
issues  a  modified-response  and  transitions  to  the  invalid  state,  while  P2 
goes  to  exclusive-modified .  MA  clears  the  requester-waiting  attribute, 
but  before  it  can  rearbitrate  for  the  bus,  PI  issues  a  read-modified  which 
P2  intervenes  in  and  splits.  At  this  point  the  process  repeats;  MA  tries 
to  issue  a  read-shared  but  is  told  to  wait  by  P2,  and  eventually  the 
modified  cache  line  passes  back  to  Pi.  Thus,  MA  never  successfully  is¬ 
sues  the  read-shared  and  never  obtains  the  data.  What  we  have  found 
is  that  fair  arbitration  is  not  sufficient  to  guarantee  absence  of  livelock. 
(Actually,  it  is  hard  to  imagine  any  arbitration  scheme  that  would  avoid 
this  problem.  It  seems  that  .some  .sort  of  queup-ba.sed  .system  for  record¬ 
ing  requests  would  be  required.  Becau.se  this  represents  a  substantial 
change  to  the  protocol,  we  did  not  attempt  to  develop  a  mo<iel  that 
guarantees  progress.  Another  possibility  would  b<‘  to  require  that  the 
memory  agent  be  sufficiently  hist.  That  is,  if  the  memory  agent  is  guar¬ 
anteed  to  rearbitrate  immediately  to  try  to  issue  the  read-shared  after 
it  sees  the  modified-respon.se .  and  if  the  arbitration  is  fair,  then  it  may 
be  possible  to  prove  progress.) 

Overall,  our  approach  of  performing  a-ssume-guarantee  style  verifi¬ 
cation  by  working  backwarils  from  the  desired  property  seems  to  be 
fairly  natural.  Counterexamples  from  the  model  checker  an*  u.serl  to 
guide  the  .selection  of  appropriate  assumptions  at  each  stage.  Further, 
in  situations  like  the  abi)ve  where  the  property  that  wv  nrr  trying  to 
verify  does  not  hold,  we  are  eventually  led  to  a  counterexample  repre¬ 
senting  a  real  error  condition.  This  is  an  important  point,  since  most 
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of  the  verification  time  and  effort  is  spent  working  on  incorrect  designs. 
Assume-guarantee  rea.soning  can  still  be  an  effective  tool  in  these  siin- 
ations. 

6.7  Summary 

We  have  demonstrated  our  verification  techniques  using  a  substantial 
example,  the  IEEE  Futurebus+  cache  coherence  protocol.  We  con¬ 
structed  an  abstract  model  of  the  protocol  and  checked  whether  it  sat¬ 
isfied  a  temporal  logic  specification  of  cache  coherence.  In  performing 
the  verification,  we  found  two  errors.  We  used  assume-guarantee  rea¬ 
soning  to  check  liveness  properties  of  the  protocol.  We  were  able  to 
show  that  the  single-bus  version  of  the  protocol  did  satisfy  our  liveness 
specification,  but  that  livelocks  may  occur  in  a  hierarchical  configura¬ 
tion. 


Chapter  7 
Conclusion 


We  have  described  methods  for  doing  compositional  verification  and  for 
using  abstraction  in  the  context  of  temporal  logic  model  checking.  Our 
techniques  are  based  on  ACTL,  a  subset  of  CTL  in  which  we  eliminate 
the  E  path  quantifier.  We  showed  how  to  do  full  assume-guarantee 
style  reasoning  with  ACTL,  and  how  to  use  abstr  iction  to  verify  sys¬ 
tems  that  manipulate  data  in  non-trivial  ways.  To  demonstrate  that  our 
techniques  were  practical,  we  used  abstraction  and  assume-guarantee 
style  reasoning  to  verify  the  IEEE  Futurebus-f  cache  coherence  proto¬ 
col.  During  the  verification  process,  we  discovered  errors  in  the  IEEE 
standard. 

While  we  have  considered  a  number  of  examples  besides  the  Fu- 
turebus-|-  protocol,  we  would  like  to  gain  more  experience  in  trying  to 
apply  our  techniques  to  real  systems.  We  feel  that  it  is  particularly  im¬ 
portant  to  look  at  a  single  system  acro.ss  several  levels  of  abstraction. 
Recall  that  in  the  Futurebus-f-  example,  we  constriicted  the  abstract 
model  directly  since  we  did  not  have  a  formal  low-level  mo<lel.  (Wliih* 
much  of  the  standard  is  expressed  in  terms  of  boolean  attributes,  they 
are  poorly  structured,  not  <‘ntirely  formal,  ami  incomph-te.)  As  such, 
we  were  not  able  to  automatically  apply  abstraction  via  observers  or 
the  techniques  described  in  section  4.2  to  this  examph*.  It  would  be 
interesting  to  develop  an  impl<*mentation-level  <le.scription  of  one  of  the' 
tyiu's  of  I'ulurebus-|-  modides  (e.g.,  a  proc«vssor  boanl)  and  to  try  l«) 
show  that  the  model  we  used  is  a  valid  abstraction. 

There  are  also  a  number  of  theoretical  questions  that  we  would  like 
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to  address.  One  question  concerns  the  exact  complexity  of  the  compo¬ 
sitional  model  checking  problem  for  full  CTL.  In  chapter  2,  we  showed 
that  it  was  NP-hard,  and,  since  our  interest  is  mainly  in  practical  meth¬ 
ods,  developed  a  polynomial-time  approximation  algorithm.  However, 
it  is  not  even  entirely  clear  that  the  problem  is  decidable.  One  ap¬ 
proach  for  showing  decidability  would  be  to  try  to  reduce  the  problem 
to  a  containment  problem  on  tree  automata.  It  is  well  known  that  the 
set  of  computation  trees  satisfying  a  CTL  formula  is  an  u;-regular  tree 
language  [46,  81]  and  is  accepted  by  a  finite  automata  on  infinite  trees. 
If  the  set  of  computation  trees  representing  the  closed  .systems  that 
can  be  obtained  by  composition  with  a  given  Moore  machine  is  also 
u;-regular,  then  the  problem  can  be  solved  by  testing  inclusion  between 
the  two  automata. 

Another  problem  involves  deciding  whether  :<  holds  between  two 
arbitrary  structures.  We  believe  that  we  have  a  polynomial-time  algo¬ 
rithm  for  this  problem,  but  we  have  not  proved  it  correct.  It  roughly 
involves  executing  a  fixed  point  computation  like  that  involved  in  test¬ 
ing  language  inclusion  as  discussed  by  Clarke,  Draghicescu,  and  Kur- 
shan  [26|.  However,  even  if  our  algorithm  is  correct,  we  are  not  op¬ 
timistic  that  it  will  work  well  in  a  BDD-based  setting.  It  may  be 
more  important  to  look  for  additional  approximation  algorithms  for 
this  problem. 

We  believe  that  it  may  be  possible  to  u.se  ideas  similar  to  those  in 
section  4.2  in  order  to  generate  abstractions  of  infinite  state  systems. 
If  the  program  describing  the  .system  is  written  in  terms  of  abstract 
data  types  described  by  algebraic  specifications  [6-5],  we  belit'vt*  that 
automated  theorem  proving  and  term  rewriting  technif|ues  could  be 
used  to  derive  abstract  versions  of  the  primitive  operators.  Of  course 
the  abstracted  .systems  would  have  to  be  finite  state  in  onler  to  apply 
our  model  checking  tools.  It  is  not  y<'t  clear  how  conservative'  these 
finite  approximations  will  be. 

Finally,  there  is  work  to  he  done  on  helping  the  user  apply  the  tee  h- 
niqiie^s  that  we  have  propeised.  Our  methods  rcepiire  that  the  user  elecide- 
een  appreipriate-  assumptions  during  an  assume-guarantee'  pre>eif  anel  on 
what  abstractie)n.s  te)  make.  It  is  unlike'ly  t!.at  eithe-r  eef  tlie-se'  ste-ps  can 
be  fully  automated,  but  it  may  be  possible  to  provide  hints.  For  exam¬ 
ple,  if  the  user  is  trying  to  verify  a  system  involving  a  data  path,  theei 
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the  examples  that  we  verified  in  chapters  4  and  5  can  suggest  useful 
abstractions.  There  is  also  the  problem  of  providing  feedback  when  the 
verification  fails.  Since  our  verification  methods  are  conservative,  the 
traces  produced  by  the  tools  when  verifying  an  abstract  model  need  not 
actually  correspond  to  legal  executions  in  the  actual  system.  It  may 
be  possible  to  use  the  information  from  the  abstract- level  verification 
to  constrain  a  lower-level  search  for  an  au:tual  error  trace.  Alterna¬ 
tively,  lower-level  information  might  be  used  to  guide  the  generation  of 
a  meaningful  abstract- level  counterexample. 


Appendix  A 

Summary  of  BDDs 


Reduced  ordered  binary  decision  diagrams  (BDDs)  are  a  canonical  form 
representation  for  boolean  functions  [17].  They  are  often  substantially 
more  compact  than  traditional  normal  forms  such  as  conjunctive  nor¬ 
mal,  form  and  disjunctive  normal  form,  and  they  can  be  manipulated 
very  efficiently.  Hence,  they  have  become  widely  used  for  a  variety 
of  applications,  including  symbolic  simulation,  verification  of  combi¬ 
national  logic,  logic  synthesis,  and  finite-state  verification.  A  BDD  is 
similar  to  a  binary  decision  tree,  except  that  its  structure  is  a  directed 
acyclic  graph  rather  than  a  tree,  and  there  is  a  strict  total  order  placed 
oil  the  occurrence  of  variables  as  one  traverses  the  graph  from  root  to 
leaf.  Figure  A.l  shows  an  example  BDD.  It  represents  the  function 
(a  A  h)  V  (c  A  d),  using  the  variable  ordering  a  <  h  <  c  <  <1.  Given  an 
assignment  of  boolean  values  to  the  variables  a,  //,  r  and  d,  one  ran  de¬ 
cide  whether  the  assignment  makes  the  function  true  by  traversing  the 
graph  beginning  at  the  root  and  branching  at  each  node  based  on  the 
value  assigned  to  the  variable  that  labels  the  node.  For  example,  the 
fissignmiuit  {a  —  1,/^  =  0,c  =  l,d  =  1}  leads  tt)  a  leaf  nodi’  labi'led  1. 
hence  the  function  is  true  for  this  lussignment. 

Bryant  showed  that,  given  a  variable  ordering,  there  is  a  canonical 
BDD  for  every  function  [17].  This  canonical  form  is  obtained  by  starting 
from  an  ordered  (but  not  neci^ssarily  reiliiced)  binary  decision  diagram 
and  applying  the  following  two  reduction  rules.  First,  if  two  nodes  ui 
and  nj  in  the  graph  are  isomorphic,  then  we  delete  n2  and  redirect  all  of 
the  arcs  going  into  nj  so  that  they  point  to  ni.  Second,  if  the  two  arcs 
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coming  out  of  a  node  nj  both  point  to  the  same  node  nj,  then  we  delete 

and  redirect  all  arcs  into  ni  so  that  they  point  to  n2-  Eventually, 
we  will  not  be  able  to  apply  either  rule.  At  this  point,  the  graph  is 
a  canonical  reduced  ordered  binary  decision  diagram.  The  size  of  a 
BDD  can  depend  critically  on  the  variable  ordering.  For  many  of  the 
functions  that  seem  to  arise  in  practice,  there  are  orderings  for  which 
the  BDD  size  is  polynomial  in  the  number  of  variables. 

An  important  property  of  BDDs  is  that  they  degrade  gradually: 
most  operations  can  be  performed  in  polynomial  time,  and  the  results 
of  those  operations  are  polynomial  in  the  size  of  the  inputs  to  the 
operation.  Given  BDDs  for  /  and  <7,  logical  combinations  of  these 
functions  such  as  f  V  g  and  -> /  can  be  computed  in  time  linear  in  the 
product  of  the  sizes  of  the  argument  BDDs.  Quantification  over  a  single 
variable  (3i  /)  is  requires  polynomial  time,  but  quantification  over  a  set 
of  variables  may  be  exponential  in  the  number  of  variables.  However,  in 
practice,  quantification  is  usually  efficient  since  it  reduces  the  number 
of  variables  that  the  function  depends  on.  Substituting  a  function  g 
for  the  variable  x  in  /  is  also  polynomial.  Multiple  (simultaneous) 
substitution  is  exponential  in  the  wor.st  case,  but  again  is  usually  well- 
behaved  in  practice. 

In  our  work,  we  use  BDDs  as  a  means  of  representing  sets,  relations, 
and  functions  over  finite  domains,  and  for  manipulating  these  objects. 
Given  a  finite  domain  D,  we  first  encode  the  elements  of  D  using  a  set  V 
of  boolean  variables.  Let  us  suppose  for  simplicity  that  D  Inus  exactly 
2*  elements  and  that  V  consists  of  k  variables.  Then  every  valuation  of 
the  variables  in  V  corresponds  to  exactly  one  element  i>f  D .  A  boolean 
function  \  over  V  can  be  identified  with  the  set  of  valuations  that 
make  the  function  true.  By  identifying  each  such  valuation  with  the 
correspomling  element  of  D,  we  can  view  \  as  representing  a  sidiset 
of  D.  This  is  called  th<'  fkarnrh  risfic  fimrlion  rrpiT:<riiliition  of  the 
set.  Relations  over.  <’.g.,  D  x  1)  can  be  repr<*sented  in  a  similar  way. 
except  now  we  need  2k  boolean  variables  to  encode  the  pairs  of  elements 
of  D.  Functions  are  simply  viewed  as  a  special  case  of  relations.  There 
is  a  close  correspondence  bet, ween  .set  ami  r<'latit)nal  ('■perations  and 
logical  operations  on  the  corresponding  cliaracteristic  functions.  I'or 
example,  if  D\  and  Dj  are  subsets  of  D  and  are  represented  by 
and  XD-i,  respectively,  then  the  characteristic  .unction  for  D\  U  Dj  is 
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simply  XDi  V  XD^-  Other  operations  that  can  be  performed  efficiently 
include  intersection,  quantification  over  elements  of  D,  functional  and 
relational  composition,  etc. 
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